@highstate/library 0.9.15 → 0.9.16

package/dist/index.js

@@ -1,23 +1,62 @@
+import { registerKnownAbbreviations, Type, defineEntity, defineUnit, fileContentSchema as fileContentSchema$1, fileMetaSchema, unitArtifactSchema, HighstateSignature, $outputs, $inputs, $args } from '@highstate/contract';
+import { Literal } from '@sinclair/typebox';
+import { omit } from 'remeda';
+
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
+registerKnownAbbreviations([
+  "ID",
+  "URL",
+  "IP",
+  "IPs",
+  "IPv4",
+  "IPv6",
+  "DNS",
+  "FQDN",
+  "SSH",
+  "WireGuard",
+  "API",
+  "k8s",
+  "TLS",
+  "HTTP",
+  "HTTPS",
+  "TCP",
+  "UDP",
+  "CIDR",
+  "CPU",
+  "RAM",
+  "GPU",
+  "SSD",
+  "HDD",
+  "VM",
+  "CNI",
+  "CSI",
+  "MariaDB",
+  "PostgreSQL",
+  "MongoDB"
+]);
 
 // src/common.ts
 var common_exports = {};
 __export(common_exports, {
+  checksumAlgorithmSchema: () => checksumAlgorithmSchema,
+  checksumSchema: () => checksumSchema,
   existingServer: () => existingServer,
-  fileContentEntity: () => fileContentEntity,
+  fileContentSchema: () => fileContentSchema,
   fileEntity: () => fileEntity,
-  fileMetaEntity: () => fileMetaEntity,
+  folderContentSchema: () => folderContentSchema,
+  folderEntity: () => folderEntity,
+  folderMetaSchema: () => folderMetaSchema,
+  remoteFile: () => remoteFile,
   script: () => script,
   serverDns: () => serverDns,
   serverEntity: () => serverEntity,
   serverOutputs: () => serverOutputs,
   serverPatch: () => serverPatch
 });
-import { defineEntity as defineEntity4, defineUnit as defineUnit3, Type as Type5 } from "@highstate/contract";
 
 // src/ssh.ts
 var ssh_exports = {};
@@ -27,7 +66,6 @@ __export(ssh_exports, {
   keyPairEntity: () => keyPairEntity,
   keyTypeSchema: () => keyTypeSchema
 });
-import { defineEntity as defineEntity2, defineUnit as defineUnit2, Type as Type2 } from "@highstate/contract";
 
 // src/network.ts
 var network_exports = {};
@@ -38,10 +76,11 @@ __export(network_exports, {
   l3EndpointEntity: () => l3EndpointEntity,
   l4Endpoint: () => l4Endpoint,
   l4EndpointEntity: () => l4EndpointEntity,
+  l4PortInfoSchema: () => l4PortInfoSchema,
   l4ProtocolSchema: () => l4ProtocolSchema,
-  portInfoSchema: () => portInfoSchema
+  l7AppInfoSchema: () => l7AppInfoSchema,
+  l7EndpointEntity: () => l7EndpointEntity
 });
-import { defineEntity, defineUnit, Type } from "@highstate/contract";
 var endpointVisibilitySchema = Type.StringEnum([
   "public",
   // Reachable from the public internet
@@ -88,18 +127,39 @@ var l3EndpointEntity = defineEntity({
   }
 });
 var l4ProtocolSchema = Type.StringEnum(["tcp", "udp"]);
-var portInfoSchema = Type.Object({
+var l4PortInfoSchema = Type.Object({
   port: Type.Number(),
   protocol: l4ProtocolSchema
 });
 var l4EndpointEntity = defineEntity({
   type: "network.l4-endpoint",
-  schema: Type.Intersect([l3EndpointEntity.schema, portInfoSchema]),
+  schema: Type.Intersect([l3EndpointEntity.schema, l4PortInfoSchema]),
   meta: {
     color: "#2196F3",
     description: "The L4 endpoint for some service. Extends an L3 endpoint with a port."
   }
 });
+var l7AppInfoSchema = Type.Object({
+  /**
+   * The name of the application protocol used by the endpoint.
+   */
+  appProtocol: Type.String(),
+  /**
+   * The resource path of the application endpoint, including query parameters.
+   * Must not start with a slash (`/`).
+   *
+   * Example: `api/v1/resource?query=value`, `database?param=value`, `user/repo.git`.
+   */
+  resource: Type.Optional(Type.String())
+});
+var l7EndpointEntity = defineEntity({
+  type: "network.l7-endpoint",
+  schema: Type.Intersect([l4EndpointEntity.schema, l7AppInfoSchema]),
+  meta: {
+    color: "#FF9800",
+    description: "The L7 endpoint for some service. Extends an L4 endpoint with application protocol information."
+  }
+});
 var l3Endpoint = defineUnit({
   type: "network.l3-endpoint",
   args: {
@@ -108,11 +168,23 @@ var l3Endpoint = defineUnit({
      *
      * May be a domain name or an IP address.
      */
-    endpoint: Type.String(),
+    endpoint: {
+      schema: Type.String(),
+      meta: {
+        description: `The string representation of the endpoint.
+
+ May be a domain name or an IP address.`
+      }
+    },
     /**
      * The visibility of the endpoint.
      */
-    visibility: Type.Default(endpointVisibilitySchema, "public")
+    visibility: {
+      schema: Type.Default(endpointVisibilitySchema, "public"),
+      meta: {
+        description: `The visibility of the endpoint.`
+      }
+    }
   },
   outputs: {
     endpoint: l3EndpointEntity
@@ -144,11 +216,29 @@ var l4Endpoint = defineUnit({
      * - `tcp://endpoint:port`
      * - `udp://endpoint:port`
      */
-    endpoint: Type.String(),
+    endpoint: {
+      schema: Type.String(),
+      meta: {
+        description: `The string representation of the endpoint.
+
+ May be a domain name or an IP address + port/protocol.
+
+ The possible formats are:
+
+ - \`endpoint:port\` (TCP by default)
+ - \`tcp://endpoint:port\`
+ - \`udp://endpoint:port\``
+      }
+    },
     /**
      * The visibility of the endpoint.
      */
-    visibility: Type.Default(endpointVisibilitySchema, "public")
+    visibility: {
+      schema: Type.Default(endpointVisibilitySchema, "public"),
+      meta: {
+        description: `The visibility of the endpoint.`
+      }
+    }
   },
   outputs: {
     endpoint: l4EndpointEntity
@@ -166,35 +256,151 @@ var l4Endpoint = defineUnit({
     path: "units/network/l4-endpoint"
   }
 });
+var checksumAlgorithmSchema = Type.StringEnum([
+  "md5",
+  "sha1",
+  "sha256",
+  "sha384",
+  "sha512"
+]);
+var checksumSchema = Type.Object({
+  algorithm: checksumAlgorithmSchema,
+  value: Type.String()
+});
+var fileContentSchema = Type.Union([
+  fileContentSchema$1,
+  Type.Object({
+    type: Type.Literal("local"),
+    path: Type.String()
+  }),
+  Type.Object({
+    type: Type.Literal("remote"),
+    endpoint: l7EndpointEntity.schema,
+    checksum: Type.Optional(checksumSchema)
+  })
+]);
+var fileEntity = defineEntity({
+  type: "common.file",
+  schema: Type.Object({
+    meta: fileMetaSchema,
+    content: fileContentSchema
+  }),
+  meta: {
+    color: "#FF5722"
+  }
+});
+var folderMetaSchema = Type.Object({
+  name: Type.String(),
+  mode: Type.Optional(Type.Number())
+});
+var folderContentSchema = Type.Recursive(
+  (TSelf) => {
+    return Type.Union([
+      Type.Object({
+        type: Type.Literal("embedded"),
+        files: Type.Array(fileEntity.schema),
+        folders: Type.Array(
+          Type.Object({
+            meta: folderMetaSchema,
+            content: TSelf
+          })
+        )
+      }),
+      Type.Object({
+        type: Type.Literal("artifact"),
+        [HighstateSignature.Artifact]: unitArtifactSchema
+      }),
+      Type.Object({
+        type: Type.Literal("local"),
+        path: Type.String()
+      }),
+      Type.Object({
+        type: Type.Literal("remote"),
+        endpoint: l7EndpointEntity.schema
+      })
+    ]);
+  },
+  { $id: "common.folder.content" }
+);
+var folderEntity = defineEntity({
+  type: "common.folder",
+  schema: Type.Object({
+    meta: folderMetaSchema,
+    content: folderContentSchema
+  }),
+  meta: {
+    color: "#FF9800"
+  }
+});
+var remoteFile = defineUnit({
+  type: "common.remote-file",
+  args: {
+    /**
+     * The URL of the remote file.
+     */
+    url: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The URL of the remote file.`
+      }
+    }
+  },
+  inputs: {
+    /**
+     * The L7 endpoint of the remote file.
+     */
+    endpoint: {
+      entity: l7EndpointEntity,
+      required: false,
+      meta: {
+        description: `The L7 endpoint of the remote file.`
+      }
+    }
+  },
+  outputs: {
+    file: fileEntity
+  },
+  meta: {
+    displayName: "Remote File",
+    description: "References a file from a remote URL.",
+    primaryIcon: "mdi:file-download",
+    category: "Files"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/remote-file"
+  }
+});
 
 // src/ssh.ts
-var keyTypeSchema = Type2.StringEnum(["ed25519"]);
-var keyPairEntity = defineEntity2({
+var keyTypeSchema = Type.StringEnum(["ed25519"]);
+var keyPairEntity = defineEntity({
   type: "ssh.key-pair",
-  schema: Type2.Object({
+  schema: Type.Object({
     type: keyTypeSchema,
-    fingerprint: Type2.String(),
-    publicKey: Type2.String(),
-    privateKey: Type2.String()
+    fingerprint: Type.String(),
+    publicKey: Type.String(),
+    privateKey: Type.String()
   }),
   meta: {
     color: "#2b5797"
   }
 });
-var credentialsSchema = Type2.Object({
-  endpoints: Type2.Array(l4EndpointEntity.schema),
-  hostKey: Type2.String(),
-  user: Type2.String(),
-  password: Type2.Optional(Type2.String()),
-  keyPair: Type2.Optional(keyPairEntity.schema)
+var credentialsSchema = Type.Object({
+  endpoints: Type.Array(l4EndpointEntity.schema),
+  hostKey: Type.String(),
+  user: Type.String(),
+  password: Type.Optional(Type.String()),
+  keyPair: Type.Optional(keyPairEntity.schema)
 });
-var keyPair = defineUnit2({
+var keyPair = defineUnit({
   type: "ssh.key-pair",
   secrets: {
-    privateKey: Type2.Optional(Type2.String())
+    privateKey: Type.Optional(Type.String())
   },
   outputs: {
-    keyPair: keyPairEntity
+    keyPair: keyPairEntity,
+    publicKeyFile: fileEntity
   },
   meta: {
     displayName: "SSH Key Pair",
@@ -218,10 +424,6 @@ __export(dns_exports, {
   inputs: () => inputs,
   providerEntity: () => providerEntity
 });
-import { defineEntity as defineEntity3, Type as Type4 } from "@highstate/contract";
-
-// src/utils.ts
-import { Type as Type3 } from "@highstate/contract";
 function prefixWith(string, prefix) {
   return prefix ? `${prefix}${string.charAt(0).toUpperCase()}${string.slice(1)}` : string;
 }
@@ -230,16 +432,16 @@ function prefixKeysWith(prefix, obj) {
     Object.entries(obj).map(([key, value]) => [prefixWith(key, prefix), value])
   );
 }
-var arrayPatchModeSchema = Type3.StringEnum(["prepend", "replace"]);
+var arrayPatchModeSchema = Type.StringEnum(["prepend", "replace"]);
 
 // src/dns.ts
-var providerEntity = defineEntity3({
+var providerEntity = defineEntity({
   type: "dns.provider",
-  schema: Type4.Object({
-    name: Type4.String(),
-    type: Type4.String(),
-    data: Type4.Record(Type4.String(), Type4.Unknown()),
-    domain: Type4.String()
+  schema: Type.Object({
+    name: Type.String(),
+    type: Type.String(),
+    data: Type.Record(Type.String(), Type.Unknown()),
+    domain: Type.String()
   }),
   meta: {
     color: "#FF5722"
@@ -253,17 +455,8 @@ function createArgs(prefix) {
      * Will be inserted at the beginning of the resulting endpoint list.
      *
      * Will throw an error if no matching provider is found.
-     *
-     * @schema
      */
-    fqdn: {
-      ...Type4.Optional(Type4.String()),
-      description: `The FQDN to register the existing endpoints with.
-
- Will be inserted at the beginning of the resulting endpoint list.
-
- Will throw an error if no matching provider is found.`
-    },
+    fqdn: Type.Optional(Type.String()),
     /**
      * The endpoint filter to filter the endpoints before creating the DNS records.
      *
@@ -280,27 +473,8 @@ function createArgs(prefix) {
      * - If any public endpoints exist, all public endpoints are selected;
      * - Otherwise, if any external endpoints exist, all external endpoints are selected;
      * - If neither exist, all internal endpoints are selected.
-     *
-     * @schema
      */
-    endpointFilter: {
-      ...Type4.Default(endpointFilterSchema, []),
-      description: `The endpoint filter to filter the endpoints before creating the DNS records.
-
- Possible values:
-
- - \`public\`: Only endpoints exposed to the public internet.
- - \`external\`: Reachable from outside the system but not public (e.g., LAN, VPC).
- - \`internal\`: Reachable only from within the system boundary (e.g., inside a cluster).
-
- You can select one or more values.
-
- If no value is provided, the endpoints will be filtered by the most accessible type:
-
- - If any public endpoints exist, all public endpoints are selected;
- - Otherwise, if any external endpoints exist, all external endpoints are selected;
- - If neither exist, all internal endpoints are selected.`
-    },
+    endpointFilter: Type.Default(endpointFilterSchema, []),
     /**
      * The mode to use for patching the existing endpoints.
      *
@@ -308,18 +482,8 @@ function createArgs(prefix) {
      * - `replace`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
      *
      * The default is `prepend`.
-     *
-     * @schema
      */
-    patchMode: {
-      ...Type4.Default(arrayPatchModeSchema, "prepend"),
-      description: `The mode to use for patching the existing endpoints.
-
- - \`prepend\`: Prepend the FQDN to the existing endpoints. It will make them prioritized.
- - \`replace\`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
-
- The default is \`prepend\`.`
-    }
+    patchMode: Type.Default(arrayPatchModeSchema, "prepend")
   });
 }
 var inputs = {
@@ -327,27 +491,20 @@ var inputs = {
    * The DNS providers to use to create the DNS records.
    *
    * If multiple providers match the domain, all of them will be used and multiple DNS records will be created.
-   *
-   * @schema
    */
   dnsProviders: {
-    ...{
-      entity: providerEntity,
-      multiple: true
-    },
-    description: `The DNS providers to use to create the DNS records.
-
- If multiple providers match the domain, all of them will be used and multiple DNS records will be created.`
+    entity: providerEntity,
+    multiple: true
   }
 };
 
 // src/common.ts
-var serverEntity = defineEntity4({
+var serverEntity = defineEntity({
   type: "common.server",
-  schema: Type5.Object({
-    hostname: Type5.String(),
-    endpoints: Type5.Array(l3EndpointEntity.schema),
-    ssh: Type5.Optional(credentialsSchema)
+  schema: Type.Object({
+    hostname: Type.String(),
+    endpoints: Type.Array(l3EndpointEntity.schema),
+    ssh: Type.Optional(credentialsSchema)
   }),
   meta: {
     color: "#009688"
@@ -360,7 +517,7 @@ var serverOutputs = {
     multiple: true
   }
 };
-var existingServer = defineUnit3({
+var existingServer = defineUnit({
   type: "common.existing-server",
   args: {
     /**
@@ -368,19 +525,36 @@ var existingServer = defineUnit3({
      *
      * Takes precedence over the `endpoint` input.
      */
-    endpoint: Type5.Optional(Type5.String()),
+    endpoint: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The endpoint of the server.
+
+ Takes precedence over the \`endpoint\` input.`
+      }
+    },
     /**
      * The SSH user to use for connecting to the server.
      */
-    sshUser: Type5.Default(Type5.String(), "root"),
+    sshUser: {
+      schema: Type.Default(Type.String(), "root"),
+      meta: {
+        description: `The SSH user to use for connecting to the server.`
+      }
+    },
     /**
      * The SSH port to use for connecting to the server.
      */
-    sshPort: Type5.Default(Type5.Number(), 22)
+    sshPort: {
+      schema: Type.Default(Type.Number(), 22),
+      meta: {
+        description: `The SSH port to use for connecting to the server.`
+      }
+    }
   },
   secrets: {
-    sshPassword: Type5.Optional(Type5.String()),
-    sshPrivateKey: Type5.Optional(Type5.String())
+    sshPassword: Type.Optional(Type.String()),
+    sshPrivateKey: Type.Optional(Type.String())
   },
   inputs: {
     sshKeyPair: {
@@ -405,7 +579,7 @@ var existingServer = defineUnit3({
     path: "units/existing-server"
   }
 });
-var serverPatch = defineUnit3({
+var serverPatch = defineUnit({
   type: "common.server-patch",
   args: {
     /**
@@ -414,16 +588,16 @@ var serverPatch = defineUnit3({
      * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
      *
      * The same server may also be represented by multiple entries (e.g. a node with private and public IP).
-     *
-     * @schema
      */
     endpoints: {
-      ...Type5.Default(Type5.Array(Type5.String()), []),
-      description: `The endpoints of the server.
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The endpoints of the server.
 
  The entry may represent real node endpoint or virtual endpoint (like a load balancer).
 
  The same server may also be represented by multiple entries (e.g. a node with private and public IP).`
+      }
     },
     /**
      * The mode to use for patching the endpoints.
@@ -431,7 +605,15 @@ var serverPatch = defineUnit3({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    endpointsPatchMode: Type5.Default(arrayPatchModeSchema, "prepend")
+    endpointsPatchMode: {
+      schema: Type.Default(arrayPatchModeSchema, "prepend"),
+      meta: {
+        description: `The mode to use for patching the endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    }
   },
   inputs: {
     server: serverEntity,
@@ -460,7 +642,7 @@ var serverPatch = defineUnit3({
     path: "units/server-patch"
   }
 });
-var serverDns = defineUnit3({
+var serverDns = defineUnit({
   type: "common.server-dns",
   args: createArgs(),
   inputs: {
@@ -486,12 +668,12 @@ var serverDns = defineUnit3({
     path: "units/server-dns"
   }
 });
-var script = defineUnit3({
+var script = defineUnit({
   type: "common.script",
   args: {
-    script: Type5.String({ language: "shell" }),
-    updateScript: Type5.Optional(Type5.String({ language: "shell" })),
-    deleteScript: Type5.Optional(Type5.String({ language: "shell" }))
+    script: Type.String({ language: "shell" }),
+    updateScript: Type.Optional(Type.String({ language: "shell" })),
+    deleteScript: Type.Optional(Type.String({ language: "shell" }))
   },
   inputs: {
     server: serverEntity
@@ -510,46 +692,6 @@ var script = defineUnit3({
     path: "units/script"
   }
 });
-var fileMetaEntity = defineEntity4({
-  type: "common.file-meta",
-  schema: Type5.Object({
-    name: Type5.String(),
-    size: Type5.Number(),
-    mode: Type5.Number(),
-    isBinary: Type5.Optional(Type5.Boolean())
-  }),
-  meta: {
-    color: "#FF5722",
-    description: "Metadata for a file."
-  }
-});
-var fileContentEntity = defineEntity4({
-  type: "common.file-content",
-  schema: Type5.Union([
-    Type5.Object({
-      type: Type5.Literal("inline"),
-      content: Type5.String()
-    }),
-    Type5.Object({
-      type: Type5.Literal("remote"),
-      url: Type5.String()
-    })
-  ]),
-  meta: {
-    color: "#FF5722",
-    description: "The content of a file."
-  }
-});
-var fileEntity = defineEntity4({
-  type: "common.file",
-  schema: Type5.Object({
-    meta: fileMetaEntity.schema,
-    content: fileContentEntity.schema
-  }),
-  meta: {
-    color: "#FF5722"
-  }
-});
 
 // src/proxmox.ts
 var proxmox_exports = {};
@@ -561,49 +703,163 @@ __export(proxmox_exports, {
   imageEntity: () => imageEntity,
   virtualMachine: () => virtualMachine
 });
-import { defineEntity as defineEntity5, defineUnit as defineUnit4, Type as Type6 } from "@highstate/contract";
-var clusterEntity = defineEntity5({
+var clusterEntity = defineEntity({
   type: "proxmox.cluster",
-  schema: Type6.Object({
-    endpoint: Type6.String(),
-    insecure: Type6.Optional(Type6.Boolean()),
-    username: Type6.Optional(Type6.String()),
-    defaultNodeName: Type6.String(),
-    defaultDatastoreId: Type6.String(),
-    password: Type6.Optional(Type6.String()),
-    apiToken: Type6.Optional(Type6.String()),
-    sshKeyPair: Type6.Optional(keyPairEntity.schema)
+  schema: Type.Object({
+    endpoint: l7EndpointEntity.schema,
+    insecure: Type.Optional(Type.Boolean()),
+    username: Type.Optional(Type.String()),
+    defaultNodeName: Type.String(),
+    defaultDatastoreId: Type.String(),
+    password: Type.Optional(Type.String()),
+    apiToken: Type.Optional(Type.String()),
+    ssh: Type.Optional(credentialsSchema)
   }),
   meta: {
     color: "#e56901"
   }
 });
-var imageEntity = defineEntity5({
+var imageEntity = defineEntity({
   type: "proxmox.image",
-  schema: Type6.Object({
-    id: Type6.String()
+  schema: Type.Object({
+    id: Type.String()
   }),
   meta: {
     color: "#e56901"
   }
 });
-var connection = defineUnit4({
+var connection = defineUnit({
   type: "proxmox.connection",
   args: {
-    endpoint: Type6.String(),
-    insecure: Type6.Optional(Type6.Boolean()),
-    username: Type6.Optional(Type6.String()),
-    defaultNodeName: Type6.Optional(Type6.String()),
-    defaultDatastoreId: Type6.Optional(Type6.String())
+    /**
+     * The endpoint of the Proxmox API.
+     */
+    endpoint: {
+      schema: Type.String(),
+      meta: {
+        description: `The endpoint of the Proxmox API.`
+      }
+    },
+    /**
+     * Whether to allow insecure connections to the Proxmox API.
+     */
+    insecure: {
+      schema: Type.Optional(Type.Boolean()),
+      meta: {
+        description: `Whether to allow insecure connections to the Proxmox API.`
+      }
+    },
+    /**
+     * The username to use for the Proxmox API.
+     *
+     * Only required for password token authentication.
+     */
+    username: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The username to use for the Proxmox API.
+
+ Only required for password token authentication.`
+      }
+    },
+    /**
+     * The name of the default Proxmox node to use for operations.
+     *
+     * If not specified, the first node in the cluster will be used.
+     */
+    defaultNodeName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the default Proxmox node to use for operations.
+
+ If not specified, the first node in the cluster will be used.`
+      }
+    },
+    /**
+     * The ID of the default Proxmox datastore to use for operations.
+     *
+     * If not specified, the first datastore in the cluster will be used.
+     */
+    defaultDatastoreId: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The ID of the default Proxmox datastore to use for operations.
+
+ If not specified, the first datastore in the cluster will be used.`
+      }
+    },
+    /**
+     * The username to use for SSH connections to the Proxmox nodes.
+     *
+     * By default, this is set to "root".
+     */
+    sshUser: {
+      schema: Type.Default(Type.String(), "root"),
+      meta: {
+        description: `The username to use for SSH connections to the Proxmox nodes.
+
+ By default, this is set to "root".`
+      }
+    },
+    /**
+     * The port to use for SSH connections to the Proxmox nodes.
+     *
+     * By default, this is set to 22.
+     */
+    sshPort: {
+      schema: Type.Default(Type.Number(), 22),
+      meta: {
+        description: `The port to use for SSH connections to the Proxmox nodes.
+
+ By default, this is set to 22.`
+      }
+    }
   },
   secrets: {
-    password: Type6.Optional(Type6.String()),
-    apiToken: Type6.Optional(Type6.String())
+    /**
+     * The password to use for the Proxmox API.
+     *
+     * Requires `username` to be set.
+     */
+    password: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The password to use for the Proxmox API.
+
+ Requires \`username\` to be set.`,
+        displayName: "Proxmox Password"
+      }
+    },
+    /**
+     * The Proxmox API token to use for authentication.
+     */
+    apiToken: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The Proxmox API token to use for authentication.`,
+        displayName: "Proxmox API Token"
+      }
+    },
+    /**
+     * The SSH password to use for connecting to the Proxmox nodes.
+     */
+    sshPassword: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The SSH password to use for connecting to the Proxmox nodes.`
+      }
+    }
   },
   inputs: {
+    /**
+     * The key pair to use for SSH connections to the Proxmox nodes.
+     */
     sshKeyPair: {
       entity: keyPairEntity,
-      required: false
+      required: false,
+      meta: {
+        description: `The key pair to use for SSH connections to the Proxmox nodes.`
+      }
     }
   },
   outputs: {
@@ -621,16 +877,93 @@ var connection = defineUnit4({
     path: "connection"
   }
 });
-var image = defineUnit4({
+var image = defineUnit({
   type: "proxmox.image",
   args: {
-    url: Type6.String(),
-    nodeName: Type6.Optional(Type6.String()),
-    sha256: Type6.Optional(Type6.String()),
-    datastoreId: Type6.Optional(Type6.String())
+    /**
+     * The name of the image to upload.
+     *
+     * If not specified, the default name is `<unitName>-<sha256>.<extension>`
+     * or `<unitName>.<extension>` if `sha256` is not provided.
+     */
+    fileName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the image to upload.
+
+ If not specified, the default name is \`<unitName>-<sha256>.<extension>\`
+ or \`<unitName>.<extension>\` if \`sha256\` is not provided.`
+      }
+    },
+    /**
+     * The URL of the image to upload.
+     */
+    url: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The URL of the image to upload.`
+      }
+    },
+    /**
+     * The checksum of the image file to verify.
+     */
+    checksum: {
+      schema: Type.Optional(checksumSchema),
+      meta: {
+        description: `The checksum of the image file to verify.`
+      }
+    },
+    /**
+     * The name of the Proxmox node to upload the image to.
+     *
+     * If not specified, the default node name from the cluster will be used.
+     */
+    nodeName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the Proxmox node to upload the image to.
+
+ If not specified, the default node name from the cluster will be used.`
+      }
+    },
+    /**
+     * The ID of the Proxmox datastore to upload the image to.
+     *
+     * If not specified, the default datastore ID from the cluster will be used.
+     */
+    datastoreId: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The ID of the Proxmox datastore to upload the image to.
+
+ If not specified, the default datastore ID from the cluster will be used.`
+      }
+    }
   },
   inputs: {
-    proxmoxCluster: clusterEntity
+    /**
+     * The Proxmox cluster to upload the image to.
+     */
+    proxmoxCluster: {
+      entity: clusterEntity,
+      meta: {
+        description: `The Proxmox cluster to upload the image to.`
+      }
+    },
+    /**
+     * The file to upload as an image.
+     *
+     * If `url` is not specified, this file will be used.
+     */
+    file: {
+      entity: fileEntity,
+      required: false,
+      meta: {
+        description: `The file to upload as an image.
+
+ If \`url\` is not specified, this file will be used.`
+      }
+    }
   },
   outputs: {
     image: imageEntity
@@ -648,10 +981,10 @@ var image = defineUnit4({
     path: "image"
   }
 });
-var existingImage = defineUnit4({
+var existingImage = defineUnit({
   type: "proxmox.existing-image",
   args: {
-    id: Type6.String()
+    id: Type.String()
   },
   inputs: {
     proxmoxCluster: clusterEntity
@@ -672,27 +1005,39 @@ var existingImage = defineUnit4({
     path: "existing-image"
   }
 });
-var virtualMachine = defineUnit4({
+var virtualMachine = defineUnit({
   type: "proxmox.virtual-machine",
   args: {
-    nodeName: Type6.Optional(Type6.String()),
-    cpuType: Type6.Default(Type6.String(), "host"),
-    cores: Type6.Default(Type6.Number(), 1),
-    sockets: Type6.Default(Type6.Number(), 1),
-    memory: Type6.Default(Type6.Number(), 512),
-    ipv4: Type6.Optional(Type6.String()),
-    ipv4Gateway: Type6.Optional(Type6.String()),
-    dns: Type6.Optional(Type6.Array(Type6.String())),
-    datastoreId: Type6.Optional(Type6.String()),
-    diskSize: Type6.Default(Type6.Number(), 8),
-    bridge: Type6.Default(Type6.String(), "vmbr0"),
-    sshPort: Type6.Default(Type6.Number(), 22),
-    sshUser: Type6.Default(Type6.String(), "root"),
-    waitForAgent: Type6.Default(Type6.Boolean(), true),
-    vendorData: Type6.Optional(Type6.String({ language: "yaml" }))
+    nodeName: Type.Optional(Type.String()),
+    cpuType: Type.Default(Type.String(), "host"),
+    cores: Type.Default(Type.Number(), 1),
+    sockets: Type.Default(Type.Number(), 1),
+    memory: Type.Default(Type.Number(), 512),
+    /**
+     * The IPv4 address to assign to the virtual machine.
+     *
+     * If not specified, the virtual machine will not have an IPv4 address.
+     */
+    ipv4: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The IPv4 address to assign to the virtual machine.
+
+ If not specified, the virtual machine will not have an IPv4 address.`
+      }
+    },
+    ipv4Gateway: Type.Optional(Type.String()),
+    dns: Type.Optional(Type.Array(Type.String())),
+    datastoreId: Type.Optional(Type.String()),
+    diskSize: Type.Default(Type.Number(), 8),
+    bridge: Type.Default(Type.String(), "vmbr0"),
+    sshPort: Type.Default(Type.Number(), 22),
+    sshUser: Type.Default(Type.String(), "root"),
+    waitForAgent: Type.Default(Type.Boolean(), true),
+    vendorData: Type.Optional(Type.String({ language: "yaml" }))
   },
   secrets: {
-    sshPassword: Type6.Optional(Type6.String())
+    sshPassword: Type.Optional(Type.String())
   },
   inputs: {
     proxmoxCluster: clusterEntity,
@@ -700,6 +1045,20 @@ var virtualMachine = defineUnit4({
     sshKeyPair: {
       entity: keyPairEntity,
       required: false
+    },
+    /**
+     * The cloud-init vendor data to use for the virtual machine.
+     *
+     * You can provide a cloud-config from the distribution component.
+     */
+    vendorData: {
+      entity: fileEntity,
+      required: false,
+      meta: {
+        description: `The cloud-init vendor data to use for the virtual machine.
+
+ You can provide a cloud-config from the distribution component.`
+      }
     }
   },
   outputs: serverOutputs,
@@ -743,6 +1102,8 @@ __export(k8s_exports, {
   interfaceEntity: () => interfaceEntity,
   internalIpsPolicySchema: () => internalIpsPolicySchema,
   metadataSchema: () => metadataSchema,
+  monitorWorkerParamsSchema: () => monitorWorkerParamsSchema,
+  monitorWorkerResourceGroupSchema: () => monitorWorkerResourceGroupSchema,
   persistentVolumeClaimEntity: () => persistentVolumeClaimEntity,
   resourceSchema: () => resourceSchema,
   scheduleOnMastersPolicyArgs: () => scheduleOnMastersPolicyArgs,
@@ -753,127 +1114,72 @@ __export(k8s_exports, {
   tlsIssuerEntity: () => tlsIssuerEntity,
   tunDevicePolicySchema: () => tunDevicePolicySchema
 });
-import { defineEntity as defineEntity6, defineUnit as defineUnit5, Type as Type7 } from "@highstate/contract";
-import { Literal } from "@sinclair/typebox";
-var fallbackKubeApiAccessSchema = Type7.Object({
-  serverIp: Type7.String(),
-  serverPort: Type7.Number()
+var fallbackKubeApiAccessSchema = Type.Object({
+  serverIp: Type.String(),
+  serverPort: Type.Number()
 });
-var tunDevicePolicySchema = Type7.Union([
-  Type7.Object({
+var tunDevicePolicySchema = Type.Union([
+  Type.Object({
     type: Literal("host")
   }),
-  Type7.Object({
+  Type.Object({
     type: Literal("plugin"),
-    resourceName: Type7.String(),
-    resourceValue: Type7.String()
+    resourceName: Type.String(),
+    resourceValue: Type.String()
   })
 ]);
-var externalServiceTypeSchema = Type7.StringEnum(["NodePort", "LoadBalancer"]);
-var scheduleOnMastersPolicySchema = Type7.StringEnum(["always", "when-no-workers", "never"]);
-var cniSchema = Type7.StringEnum(["cilium", "other"]);
-var clusterQuirksSchema = Type7.Object({
+var externalServiceTypeSchema = Type.StringEnum(["NodePort", "LoadBalancer"]);
+var scheduleOnMastersPolicySchema = Type.StringEnum(["always", "when-no-workers", "never"]);
+var cniSchema = Type.StringEnum(["cilium", "other"]);
+var clusterQuirksSchema = Type.Object({
   /**
    * The IP and port of the kube-apiserver available from the cluster.
    *
    * Will be used to create fallback network policy in CNIs which does not support allowing access to the kube-apiserver.
-   *
-   * @schema
    */
-  fallbackKubeApiAccess: {
-    ...Type7.Optional(fallbackKubeApiAccessSchema),
-    description: `The IP and port of the kube-apiserver available from the cluster.
-
- Will be used to create fallback network policy in CNIs which does not support allowing access to the kube-apiserver.`
-  },
+  fallbackKubeApiAccess: Type.Optional(fallbackKubeApiAccessSchema),
   /**
    * Specifies the policy for using the tun device inside containers.
    *
    * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
    *
    * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
-   *
-   * @schema
    */
-  tunDevicePolicy: {
-    ...Type7.Optional(tunDevicePolicySchema),
-    description: `Specifies the policy for using the tun device inside containers.
-
- If not provided, the default policy is \`host\` which assumes just mounting /dev/net/tun from the host.
-
- For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.`
-  },
+  tunDevicePolicy: Type.Optional(tunDevicePolicySchema),
   /**
    * The service type to use for external services.
    *
    * If not provided, the default service type is `NodePort` since `LoadBalancer` may not be available.
-   *
-   * @schema
    */
-  externalServiceType: {
-    ...Type7.Optional(externalServiceTypeSchema),
-    description: `The service type to use for external services.
-
- If not provided, the default service type is \`NodePort\` since \`LoadBalancer\` may not be available.`
-  }
+  externalServiceType: Type.Optional(externalServiceTypeSchema)
 });
 var clusterInfoProperties = {
   /**
    * The unique identifier of the cluster.
    *
    * Should be defined as a UUID of the `kube-system` namespace which is always present in the cluster.
-   *
-   * @schema
    */
-  id: {
-    ...Type7.String(),
-    description: `The unique identifier of the cluster.
-
- Should be defined as a UUID of the \`kube-system\` namespace which is always present in the cluster.`
-  },
+  id: Type.String(),
   /**
    * The name of the cluster.
-   *
-   * @schema
    */
-  name: {
-    ...Type7.String(),
-    description: `The name of the cluster.`
-  },
+  name: Type.String(),
   /**
    * The name of the CNI plugin used by the cluster.
    *
    * Supported values are:
    * - `cilium`
    * - `other`
-   *
-   * @schema
    */
-  cni: {
-    ...cniSchema,
-    description: `The name of the CNI plugin used by the cluster.
-
- Supported values are:
- - \`cilium\`
- - \`other\``
-  },
+  cni: cniSchema,
   /**
    * The endpoints of the cluster nodes.
    *
    * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
    *
    * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-   *
-   * @schema
    */
-  endpoints: {
-    ...Type7.Array(l3EndpointEntity.schema),
-    description: `The endpoints of the cluster nodes.
-
- The entry may represent real node endpoint or virtual endpoint (like a load balancer).
-
- The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
-  },
+  endpoints: Type.Array(l3EndpointEntity.schema),
   /**
    * The endpoints of the API server.
    *
@@ -881,68 +1187,53 @@ var clusterInfoProperties = {
    *
    * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
    */
-  apiEndpoints: Type7.Array(l4EndpointEntity.schema),
+  apiEndpoints: Type.Array(l4EndpointEntity.schema),
   /**
    * The external IPs of the cluster nodes allowed to be used for external access.
-   *
-   * @schema
    */
-  externalIps: {
-    ...Type7.Array(Type7.String()),
-    description: `The external IPs of the cluster nodes allowed to be used for external access.`
-  },
+  externalIps: Type.Array(Type.String()),
   /**
    * The extra quirks of the cluster to improve compatibility.
-   *
-   * @schema
    */
-  quirks: {
-    ...Type7.Optional(clusterQuirksSchema),
-    description: `The extra quirks of the cluster to improve compatibility.`
-  },
+  quirks: Type.Optional(clusterQuirksSchema),
   /**
    * The extra metadata to attach to the cluster.
-   *
-   * @schema
    */
-  metadata: {
-    ...Type7.Optional(Type7.Record(Type7.String(), Type7.Unknown())),
-    description: `The extra metadata to attach to the cluster.`
-  }
+  metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
 };
-var serviceTypeSchema = Type7.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"]);
-var metadataSchema = Type7.Object({
-  name: Type7.String(),
-  namespace: Type7.String(),
-  labels: Type7.Optional(Type7.Record(Type7.String(), Type7.String())),
-  annotations: Type7.Optional(Type7.Record(Type7.String(), Type7.String()))
-});
-var resourceSchema = Type7.Object({
-  clusterId: Type7.String(),
+var serviceTypeSchema = Type.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"]);
+var metadataSchema = Type.Object({
+  name: Type.String(),
+  namespace: Type.String(),
+  labels: Type.Optional(Type.Record(Type.String(), Type.String())),
+  annotations: Type.Optional(Type.Record(Type.String(), Type.String()))
+});
+var resourceSchema = Type.Object({
+  clusterId: Type.String(),
   metadata: metadataSchema
 });
-var serviceEntity = defineEntity6({
+var serviceEntity = defineEntity({
   type: "k8s.service",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.service"),
+  schema: Type.Object({
+    type: Type.Literal("k8s.service"),
     ...resourceSchema.properties,
-    endpoints: Type7.Array(l4EndpointEntity.schema)
+    endpoints: Type.Array(l4EndpointEntity.schema)
   }),
   meta: {
     color: "#2196F3"
   }
 });
-var clusterEntity2 = defineEntity6({
+var clusterEntity2 = defineEntity({
   type: "k8s.cluster",
-  schema: Type7.Object({
+  schema: Type.Object({
     ...clusterInfoProperties,
-    kubeconfig: Type7.String()
+    kubeconfig: Type.String()
   }),
   meta: {
     color: "#2196F3"
   }
 });
-var internalIpsPolicySchema = Type7.StringEnum(["always", "public", "never"]);
+var internalIpsPolicySchema = Type.StringEnum(["always", "public", "never"]);
 var scheduleOnMastersPolicyArgs = {
   /**
    * The policy for scheduling workloads on master nodes.
@@ -950,17 +1241,8 @@ var scheduleOnMastersPolicyArgs = {
    * - `always`: always schedule workloads on master nodes regardless of the number of workers;
    * - `when-no-workers`: schedule workloads on master nodes only if there are no workers (default);
    * - `never`: never schedule workloads on master nodes.
-   *
-   * @schema
    */
-  scheduleOnMastersPolicy: {
-    ...Type7.Default(scheduleOnMastersPolicySchema, "when-no-workers"),
-    description: `The policy for scheduling workloads on master nodes.
-
- - \`always\`: always schedule workloads on master nodes regardless of the number of workers;
- - \`when-no-workers\`: schedule workloads on master nodes only if there are no workers (default);
- - \`never\`: never schedule workloads on master nodes.`
-  }
+  scheduleOnMastersPolicy: Type.Default(scheduleOnMastersPolicySchema, "when-no-workers")
 };
 var clusterInputs = {
   masters: {
@@ -984,21 +1266,21 @@ var clusterOutputs = {
     multiple: true
   }
 };
-var existingCluster = defineUnit5({
+var existingCluster = defineUnit({
   type: "k8s.existing-cluster",
   args: {
     /**
      * The list of external IPs of the cluster nodes allowed to be used for external access.
      *
      * If not provided, will be automatically detected by querying the cluster nodes.
-     *
-     * @schema
      */
     externalIps: {
-      ...Type7.Optional(Type7.Array(Type7.String())),
-      description: `The list of external IPs of the cluster nodes allowed to be used for external access.
+      schema: Type.Optional(Type.Array(Type.String())),
+      meta: {
+        description: `The list of external IPs of the cluster nodes allowed to be used for external access.
 
  If not provided, will be automatically detected by querying the cluster nodes.`
+      }
     },
     /**
      * The policy for using internal IPs of the nodes as external IPs.
@@ -1006,25 +1288,25 @@ var existingCluster = defineUnit5({
      * - `always`: always use internal IPs as external IPs;
      * - `public`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
      * - `never`: never use internal IPs as external IPs.
-     *
-     * @schema
      */
     internalIpsPolicy: {
-      ...Type7.Default(internalIpsPolicySchema, "public"),
-      description: `The policy for using internal IPs of the nodes as external IPs.
+      schema: Type.Default(internalIpsPolicySchema, "public"),
+      meta: {
+        description: `The policy for using internal IPs of the nodes as external IPs.
 
  - \`always\`: always use internal IPs as external IPs;
  - \`public\`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
  - \`never\`: never use internal IPs as external IPs.`
+      }
     },
     /**
      * The extra quirks of the cluster to improve compatibility.
-     *
-     * @schema
      */
     quirks: {
-      ...Type7.Optional(clusterQuirksSchema),
-      description: `The extra quirks of the cluster to improve compatibility.`
+      schema: Type.Optional(clusterQuirksSchema),
+      meta: {
+        description: `The extra quirks of the cluster to improve compatibility.`
+      }
     }
   },
   secrets: {
@@ -1032,14 +1314,14 @@ var existingCluster = defineUnit5({
      * The kubeconfig of the cluster to use for connecting to the cluster.
      *
      * Will be available for all components using `cluster` output of this unit.
-     *
-     * @schema
      */
     kubeconfig: {
-      ...Type7.Record(Type7.String(), Type7.Any()),
-      description: `The kubeconfig of the cluster to use for connecting to the cluster.
+      schema: Type.Record(Type.String(), Type.Any()),
+      meta: {
+        description: `The kubeconfig of the cluster to use for connecting to the cluster.
 
  Will be available for all components using \`cluster\` output of this unit.`
+      }
     }
   },
   outputs: clusterOutputs,
@@ -1054,7 +1336,7 @@ var existingCluster = defineUnit5({
     path: "units/existing-cluster"
   }
 });
-var clusterPatch = defineUnit5({
+var clusterPatch = defineUnit({
   type: "k8s.cluster-patch",
   args: {
     /**
@@ -1063,16 +1345,16 @@ var clusterPatch = defineUnit5({
      * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
      *
      * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-     *
-     * @schema
      */
     apiEndpoints: {
-      ...Type7.Default(Type7.Array(Type7.String()), []),
-      description: `The endpoints of the API server.
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The endpoints of the API server.
 
  The entry may represent real node endpoint or virtual endpoint (like a load balancer).
 
  The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
+      }
     },
     /**
      * The mode to use for patching the API endpoints.
@@ -1080,23 +1362,31 @@ var clusterPatch = defineUnit5({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    apiEndpointsPatchMode: Type7.Default(arrayPatchModeSchema, "prepend"),
+    apiEndpointsPatchMode: {
+      schema: Type.Default(arrayPatchModeSchema, "prepend"),
+      meta: {
+        description: `The mode to use for patching the API endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    },
     /**
      * The endpoints of the cluster nodes.
      *
      * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
      *
      * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-     *
-     * @schema
      */
     endpoints: {
-      ...Type7.Default(Type7.Array(Type7.String()), []),
-      description: `The endpoints of the cluster nodes.
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The endpoints of the cluster nodes.
 
  The entry may represent real node endpoint or virtual endpoint (like a load balancer).
 
  The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
+      }
     },
     /**
      * The mode to use for patching the endpoints.
@@ -1104,7 +1394,15 @@ var clusterPatch = defineUnit5({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    endpointsPatchMode: Type7.Default(arrayPatchModeSchema, "prepend")
+    endpointsPatchMode: {
+      schema: Type.Default(arrayPatchModeSchema, "prepend"),
+      meta: {
+        description: `The mode to use for patching the endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    }
   },
   inputs: {
     k8sCluster: clusterEntity2,
@@ -1132,7 +1430,7 @@ var clusterPatch = defineUnit5({
     path: "units/cluster-patch"
   }
 });
-var clusterDns = defineUnit5({
+var clusterDns = defineUnit({
   type: "k8s.cluster-dns",
   args: {
     ...createArgs(),
@@ -1155,42 +1453,42 @@ var clusterDns = defineUnit5({
     path: "units/cluster-dns"
   }
 });
-var gatewayEntity = defineEntity6({
+var gatewayEntity = defineEntity({
   type: "k8s.gateway",
-  schema: Type7.Object({
-    clusterId: Type7.String(),
-    gatewayClassName: Type7.String(),
-    httpListenerPort: Type7.Number(),
-    httpsListenerPort: Type7.Number(),
-    endpoints: Type7.Array(l3EndpointEntity.schema)
+  schema: Type.Object({
+    clusterId: Type.String(),
+    gatewayClassName: Type.String(),
+    httpListenerPort: Type.Number(),
+    httpsListenerPort: Type.Number(),
+    endpoints: Type.Array(l3EndpointEntity.schema)
   }),
   meta: {
     color: "#4CAF50"
   }
 });
-var tlsIssuerEntity = defineEntity6({
+var tlsIssuerEntity = defineEntity({
   type: "k8s.tls-issuer",
-  schema: Type7.Object({
-    clusterId: Type7.String(),
-    clusterIssuerName: Type7.String()
+  schema: Type.Object({
+    clusterId: Type.String(),
+    clusterIssuerName: Type.String()
   }),
   meta: {
     color: "#f06292"
   }
 });
-var accessPointEntity = defineEntity6({
+var accessPointEntity = defineEntity({
   type: "k8s.access-point",
-  schema: Type7.Object({
-    clusterId: Type7.String(),
+  schema: Type.Object({
+    clusterId: Type.String(),
     gateway: gatewayEntity.schema,
     tlsIssuer: tlsIssuerEntity.schema,
-    dnsProviders: Type7.Array(providerEntity.schema)
+    dnsProviders: Type.Array(providerEntity.schema)
   }),
   meta: {
     color: "#F57F17"
   }
 });
-var accessPoint = defineUnit5({
+var accessPoint = defineUnit({
   type: "k8s.access-point",
   inputs: {
     gateway: gatewayEntity,
@@ -1214,7 +1512,7 @@ var accessPoint = defineUnit5({
     path: "units/access-point"
   }
 });
-var certManager = defineUnit5({
+var certManager = defineUnit({
   type: "k8s.cert-manager",
   inputs: {
     k8sCluster: clusterEntity2
@@ -1233,21 +1531,21 @@ var certManager = defineUnit5({
     path: "units/cert-manager"
   }
 });
-var dns01TlsIssuer = defineUnit5({
+var dns01TlsIssuer = defineUnit({
   type: "k8s.dns01-issuer",
   args: {
     /**
      * The top-level domains to filter the DNS01 challenge for.
      *
      * If not provided, will use all domains passed to the DNS providers.
-     *
-     * @schema
      */
     domains: {
-      ...Type7.Optional(Type7.Array(Type7.String())),
-      description: `The top-level domains to filter the DNS01 challenge for.
+      schema: Type.Optional(Type.Array(Type.String())),
+      meta: {
+        description: `The top-level domains to filter the DNS01 challenge for.
 
  If not provided, will use all domains passed to the DNS providers.`
+      }
     }
   },
   inputs: {
@@ -1271,21 +1569,21 @@ var dns01TlsIssuer = defineUnit5({
     path: "units/dns01-issuer"
   }
 });
-var deploymentEntity = defineEntity6({
+var deploymentEntity = defineEntity({
   type: "k8s.deployment",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.deployment"),
+  schema: Type.Object({
+    type: Type.Literal("k8s.deployment"),
     ...resourceSchema.properties,
-    service: Type7.Optional(serviceEntity.schema)
+    service: Type.Optional(serviceEntity.schema)
   }),
   meta: {
     color: "#4CAF50"
   }
 });
-var statefulSetEntity = defineEntity6({
+var statefulSetEntity = defineEntity({
   type: "k8s.stateful-set",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.stateful-set"),
+  schema: Type.Object({
+    type: Type.Literal("k8s.stateful-set"),
     ...resourceSchema.properties,
     service: serviceEntity.schema
   }),
@@ -1293,27 +1591,27 @@ var statefulSetEntity = defineEntity6({
     color: "#FFC107"
   }
 });
-var exposableWorkloadEntity = defineEntity6({
+var exposableWorkloadEntity = defineEntity({
   type: "k8s.exposable-workload",
-  schema: Type7.Union([deploymentEntity.schema, statefulSetEntity.schema]),
+  schema: Type.Union([deploymentEntity.schema, statefulSetEntity.schema]),
   meta: {
     color: "#4CAF50"
   }
 });
-var persistentVolumeClaimEntity = defineEntity6({
+var persistentVolumeClaimEntity = defineEntity({
   type: "k8s.persistent-volume-claim",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.persistent-volume-claim"),
+  schema: Type.Object({
+    type: Type.Literal("k8s.persistent-volume-claim"),
     ...resourceSchema.properties
   }),
   meta: {
     color: "#FFC107"
   }
 });
-var interfaceEntity = defineEntity6({
+var interfaceEntity = defineEntity({
   type: "k8s.interface",
-  schema: Type7.Object({
-    name: Type7.String(),
+  schema: Type.Object({
+    name: Type.String(),
     workload: exposableWorkloadEntity.schema
   }),
   meta: {
@@ -1321,7 +1619,7 @@ var interfaceEntity = defineEntity6({
     description: "The interface in a network space of pod kernel which can accept or transmit packets."
   }
 });
-var gatewayApi = defineUnit5({
+var gatewayApi = defineUnit({
   type: "k8s.gateway-api",
   inputs: {
     k8sCluster: clusterEntity2
@@ -1342,7 +1640,7 @@ var gatewayApi = defineUnit5({
     path: "units/gateway-api"
   }
 });
-var cilium = defineUnit5({
+var cilium = defineUnit({
   type: "k8s.cilium",
   args: {
     /**
@@ -1352,7 +1650,16 @@ var cilium = defineUnit5({
      *
      * By default, is `false`.
      */
-    allowForbiddenFqdnResolution: Type7.Default(Type7.Boolean(), false)
+    allowForbiddenFqdnResolution: {
+      schema: Type.Default(Type.Boolean(), false),
+      meta: {
+        description: `If set to \`true\`, the generated network policy will allow
+ all DNS queries to be resolved, even if they are
+ for forbidden (non-allowed) FQDNs.
+
+ By default, is \`false\`.`
+      }
+    }
   },
   inputs: {
     k8sCluster: clusterEntity2
@@ -1372,6 +1679,21 @@ var cilium = defineUnit5({
     path: "unit"
   }
 });
+var monitorWorkerResourceGroupSchema = Type.Object({
+  type: Type.StringEnum(["deployment", "statefulset", "pod", "service"]),
+  namespace: Type.String(),
+  names: Type.Optional(Type.Array(Type.String()))
+});
+var monitorWorkerParamsSchema = Type.Object({
+  /**
+   * The ID of the secret containing the kubeconfig of the cluster.
+   */
+  kubeconfigSecretId: Type.String(),
+  /**
+   * The resources to monitor in the cluster.
+   */
+  resourceGroups: Type.Array(monitorWorkerResourceGroupSchema)
+});
 
 // src/talos.ts
 var talos_exports = {};
@@ -1381,20 +1703,19 @@ __export(talos_exports, {
   cniSchema: () => cniSchema2,
   csiSchema: () => csiSchema
 });
-import { defineEntity as defineEntity7, defineUnit as defineUnit6, Type as Type8 } from "@highstate/contract";
-var clusterEntity3 = defineEntity7({
+var clusterEntity3 = defineEntity({
   type: "talos.cluster",
-  schema: Type8.Object({
-    clientConfiguration: Type8.String(),
-    machineSecrets: Type8.String()
+  schema: Type.Object({
+    clientConfiguration: Type.String(),
+    machineSecrets: Type.String()
   }),
   meta: {
     color: "#2d2d2d"
   }
 });
-var cniSchema2 = Type8.StringEnum(["none", "cilium", "flannel"]);
-var csiSchema = Type8.StringEnum(["none", "local-path-provisioner"]);
-var cluster = defineUnit6({
+var cniSchema2 = Type.StringEnum(["none", "cilium", "flannel"]);
+var csiSchema = Type.StringEnum(["none", "local-path-provisioner"]);
+var cluster = defineUnit({
   type: "talos.cluster",
   args: {
     ...scheduleOnMastersPolicyArgs,
@@ -1402,14 +1723,14 @@ var cluster = defineUnit6({
      * The name of the cluster.
      *
      * By default, the name of the instance is used.
-     *
-     * @schema
      */
     clusterName: {
-      ...Type8.Optional(Type8.String()),
-      description: `The name of the cluster.
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the cluster.
 
  By default, the name of the instance is used.`
+      }
     },
     /**
      * The CNI plugin to use.
@@ -1420,12 +1741,11 @@ var cluster = defineUnit6({
      * - "none" (disable CNI, must be installed manually)
      *
      * The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.
-     *
-     * @schema
      */
     cni: {
-      ...Type8.Default(cniSchema2, "cilium"),
-      description: `The CNI plugin to use.
+      schema: Type.Default(cniSchema2, "cilium"),
+      meta: {
+        description: `The CNI plugin to use.
 
  The following options are available:
  - "cilium" (default)
@@ -1433,6 +1753,7 @@ var cluster = defineUnit6({
  - "none" (disable CNI, must be installed manually)
 
  The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.`
+      }
     },
     /**
      * The CSI plugin to use.
@@ -1440,49 +1761,49 @@ var cluster = defineUnit6({
      * The following options are available:
      * - "local-path-provisioner" (default)
      * - "none" (disable CSI, must be installed manually if needed)
-     *
-     * @schema
      */
     csi: {
-      ...Type8.Default(csiSchema, "local-path-provisioner"),
-      description: `The CSI plugin to use.
+      schema: Type.Default(csiSchema, "local-path-provisioner"),
+      meta: {
+        description: `The CSI plugin to use.
 
  The following options are available:
  - "local-path-provisioner" (default)
  - "none" (disable CSI, must be installed manually if needed)`
+      }
     },
     /**
      * The shared configuration patch.
      * It will be applied to all nodes.
-     *
-     * @schema
      */
     sharedConfigPatch: {
-      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
-      description: `The shared configuration patch.
+      schema: Type.Optional(Type.Record(Type.String(), Type.Any())),
+      meta: {
+        description: `The shared configuration patch.
  It will be applied to all nodes.`
+      }
     },
     /**
      * The master configuration patch.
      * It will be applied to all master nodes.
-     *
-     * @schema
      */
     masterConfigPatch: {
-      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
-      description: `The master configuration patch.
+      schema: Type.Optional(Type.Record(Type.String(), Type.Any())),
+      meta: {
+        description: `The master configuration patch.
  It will be applied to all master nodes.`
+      }
     },
     /**
      * The worker configuration patch.
      * It will be applied to all worker nodes.
-     *
-     * @schema
      */
     workerConfigPatch: {
-      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
-      description: `The worker configuration patch.
+      schema: Type.Optional(Type.Record(Type.String(), Type.Any())),
+      meta: {
+        description: `The worker configuration patch.
  It will be applied to all worker nodes.`
+      }
     },
     /**
      * Whether to enable the Tun device plugin.
@@ -1491,7 +1812,16 @@ var cluster = defineUnit6({
      *
      * By default, this option is set to true.
      */
-    enableTunDevicePlugin: Type8.Default(Type8.Boolean(), true)
+    enableTunDevicePlugin: {
+      schema: Type.Default(Type.Boolean(), true),
+      meta: {
+        description: `Whether to enable the Tun device plugin.
+
+ There is the only option for Talos to get tun device in containers.
+
+ By default, this option is set to true.`
+      }
+    }
   },
   inputs: clusterInputs,
   outputs: {
@@ -1528,27 +1858,25 @@ __export(wireguard_exports, {
   peerEntity: () => peerEntity,
   peerPatch: () => peerPatch
 });
-import { defineEntity as defineEntity8, defineUnit as defineUnit7, Type as Type9 } from "@highstate/contract";
-import { omit } from "remeda";
-var backendSchema = Type9.StringEnum(["wireguard", "amneziawg"]);
-var networkEntity = defineEntity8({
+var backendSchema = Type.StringEnum(["wireguard", "amneziawg"]);
+var networkEntity = defineEntity({
   type: "wireguard.network",
-  schema: Type9.Object({
+  schema: Type.Object({
     backend: backendSchema,
-    ipv6: Type9.Boolean()
+    ipv6: Type.Boolean()
   })
 });
-var nodeExposePolicySchema = Type9.StringEnum(["always", "when-has-endpoint", "never"]);
-var peerEntity = defineEntity8({
+var nodeExposePolicySchema = Type.StringEnum(["always", "when-has-endpoint", "never"]);
+var peerEntity = defineEntity({
   type: "wireguard.peer",
-  schema: Type9.Object({
-    name: Type9.String(),
-    network: Type9.Optional(networkEntity.schema),
-    publicKey: Type9.String(),
-    address: Type9.Optional(Type9.String()),
-    allowedIps: Type9.Array(Type9.String()),
-    endpoints: Type9.Array(l4EndpointEntity.schema),
-    allowedEndpoints: Type9.Array(Type9.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
+  schema: Type.Object({
+    name: Type.String(),
+    network: Type.Optional(networkEntity.schema),
+    publicKey: Type.String(),
+    address: Type.Optional(Type.String()),
+    allowedIps: Type.Array(Type.String()),
+    endpoints: Type.Array(l4EndpointEntity.schema),
+    allowedEndpoints: Type.Array(Type.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
     /**
      * The pre-shared key of the WireGuard peer.
      *
@@ -1556,32 +1884,32 @@ var peerEntity = defineEntity8({
      *
      * Will be ignored if both peers have `presharedKeyPart` set.
      */
-    presharedKey: Type9.Optional(Type9.String()),
+    presharedKey: Type.Optional(Type.String()),
     /**
      * The pre-shared key part of the WireGuard peer.
      *
      * If both peers have `presharedKeyPart` set, their `presharedKey` will be calculated as XOR of the two parts.
      */
-    presharedKeyPart: Type9.Optional(Type9.String()),
-    excludedIps: Type9.Array(Type9.String()),
-    dns: Type9.Array(Type9.String()),
-    listenPort: Type9.Optional(Type9.Number())
+    presharedKeyPart: Type.Optional(Type.String()),
+    excludedIps: Type.Array(Type.String()),
+    dns: Type.Array(Type.String()),
+    listenPort: Type.Optional(Type.Number())
   }),
   meta: {
     color: "#673AB7"
   }
 });
-var identityEntity = defineEntity8({
+var identityEntity = defineEntity({
   type: "wireguard.identity",
-  schema: Type9.Object({
+  schema: Type.Object({
     peer: peerEntity.schema,
-    privateKey: Type9.String()
+    privateKey: Type.String()
   }),
   meta: {
     color: "#F44336"
   }
 });
-var network = defineUnit7({
+var network = defineUnit({
   type: "wireguard.network",
   args: {
     /**
@@ -1592,31 +1920,31 @@ var network = defineUnit7({
      * 2. `amneziawg` - The censorship-resistant fork of WireGuard.
      *
      * By default, the `wireguard` backend is used.
-     *
-     * @schema
      */
     backend: {
-      ...Type9.Default(backendSchema, "wireguard"),
-      description: `The backend to use for the WireGuard network.
+      schema: Type.Default(backendSchema, "wireguard"),
+      meta: {
+        description: `The backend to use for the WireGuard network.
 
  Possible values are:
  1. \`wireguard\` - The default backend.
  2. \`amneziawg\` - The censorship-resistant fork of WireGuard.
 
  By default, the \`wireguard\` backend is used.`
+      }
     },
     /**
      * The option to enable IPv6 support in the network.
      *
      * By default, IPv6 support is disabled.
-     *
-     * @schema
      */
     ipv6: {
-      ...Type9.Default(Type9.Boolean(), false),
-      description: `The option to enable IPv6 support in the network.
+      schema: Type.Default(Type.Boolean(), false),
+      meta: {
+        description: `The option to enable IPv6 support in the network.
 
  By default, IPv6 support is disabled.`
+      }
     }
   },
   outputs: {
@@ -1639,41 +1967,20 @@ var sharedPeerArgs = {
    * The name of the WireGuard peer.
    *
    * If not provided, the peer will be named after the unit.
-   *
-   * @schema
    */
-  peerName: {
-    ...Type9.Optional(Type9.String()),
-    description: `The name of the WireGuard peer.
-
- If not provided, the peer will be named after the unit.`
-  },
+  peerName: Type.Optional(Type.String()),
   /**
    * The address of the WireGuard interface.
    *
    * The address may be any IPv4 or IPv6 address. CIDR notation is also supported.
-   *
-   * @schema
    */
-  address: {
-    ...Type9.Optional(Type9.String()),
-    description: `The address of the WireGuard interface.
-
- The address may be any IPv4 or IPv6 address. CIDR notation is also supported.`
-  },
+  address: Type.Optional(Type.String()),
   /**
    * The convenience option to set `allowedIps` to `0.0.0.0/0, ::/0`.
    *
    * Will be merged with the `allowedIps` if provided.
-   *
-   * @schema
    */
-  exitNode: {
-    ...Type9.Default(Type9.Boolean(), false),
-    description: `The convenience option to set \`allowedIps\` to \`0.0.0.0/0, ::/0\`.
-
- Will be merged with the \`allowedIps\` if provided.`
-  },
+  exitNode: Type.Default(Type.Boolean(), false),
   /**
    * The list of IP ranges to exclude from the tunnel.
    *
@@ -1682,19 +1989,8 @@ var sharedPeerArgs = {
    * - This list will not be used to generate the allowed IPs for the peer.
    * - Instead, the node will setup extra direct routes to these IPs via default gateway.
    * - This allows to use `0.0.0.0/0, ::/0` in the `allowedIps` (and corresponding fwmark magic) and still have some IPs excluded from the tunnel.
-   *
-   * @schema
    */
-  excludedIps: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The list of IP ranges to exclude from the tunnel.
-
- Implementation notes:
-
- - This list will not be used to generate the allowed IPs for the peer.
- - Instead, the node will setup extra direct routes to these IPs via default gateway.
- - This allows to use \`0.0.0.0/0, ::/0\` in the \`allowedIps\` (and corresponding fwmark magic) and still have some IPs excluded from the tunnel.`
-  },
+  excludedIps: Type.Default(Type.Array(Type.String()), []),
   /**
    * The convenience option to exclude private IPs from the tunnel.
    *
@@ -1710,134 +2006,64 @@ var sharedPeerArgs = {
    * - `fe80::/10`
    *
    * Will be merged with `excludedIps` if provided.
-   *
-   * @schema
    */
-  excludePrivateIps: {
-    ...Type9.Default(Type9.Boolean(), false),
-    description: `The convenience option to exclude private IPs from the tunnel.
-
- For IPv4, the private IPs are:
-
- - \`10.0.0.0/8\`
- - \`172.16.0.0/12\`
- - \`192.168.0.0/16\`
-
- For IPv6, the private IPs are:
-
- - \`fc00::/7\`
- - \`fe80::/10\`
-
- Will be merged with \`excludedIps\` if provided.`
-  },
+  excludePrivateIps: Type.Default(Type.Boolean(), false),
   /**
    * The endpoints of the WireGuard peer.
-   *
-   * @schema
    */
-  endpoints: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The endpoints of the WireGuard peer.`
-  },
+  endpoints: Type.Default(Type.Array(Type.String()), []),
   /**
    * The allowed endpoints of the WireGuard peer.
    *
    * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-   *
-   * @schema
    */
-  allowedEndpoints: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The allowed endpoints of the WireGuard peer.
-
- The non \`hostname\` endpoints will be added to the \`allowedIps\` of the peer.`
-  },
+  allowedEndpoints: Type.Default(Type.Array(Type.String()), []),
   /**
    * The DNS servers that should be used by the interface connected to the WireGuard peer.
    *
    * If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).
-   *
-   * @schema
    */
-  dns: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The DNS servers that should be used by the interface connected to the WireGuard peer.
-
- If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).`
-  },
+  dns: Type.Default(Type.Array(Type.String()), []),
   /**
    * The convenience option to include the DNS servers to the allowed IPs.
    *
    * By default, is `true`.
-   *
-   * @schema
    */
-  includeDns: {
-    ...Type9.Default(Type9.Boolean(), true),
-    description: `The convenience option to include the DNS servers to the allowed IPs.
-
- By default, is \`true\`.`
-  },
+  includeDns: Type.Default(Type.Boolean(), true),
   /**
    * The port to listen on.
-   *
-   * @schema
    */
-  listenPort: {
-    ...Type9.Optional(Type9.Number()),
-    description: `The port to listen on.`
-  }
+  listenPort: Type.Optional(Type.Number())
 };
 var sharedPeerInputs = {
   /**
    * The network to use for the WireGuard identity.
    *
    * If not provided, the identity will use default network configuration.
-   *
-   * @schema
    */
   network: {
-    ...{
-      entity: networkEntity,
-      required: false
-    },
-    description: `The network to use for the WireGuard identity.
-
- If not provided, the identity will use default network configuration.`
+    entity: networkEntity,
+    required: false
   },
   /**
    * The L3 endpoints of the identity.
    *
    * Will produce L4 endpoints for each of the provided L3 endpoints.
-   *
-   * @schema
    */
   l3Endpoints: {
-    ...{
-      entity: l3EndpointEntity,
-      multiple: true,
-      required: false
-    },
-    description: `The L3 endpoints of the identity.
-
- Will produce L4 endpoints for each of the provided L3 endpoints.`
+    entity: l3EndpointEntity,
+    multiple: true,
+    required: false
   },
   /**
    * The L4 endpoints of the identity.
    *
-   * Will take priority over all calculated endpoints if provided.
-   *
-   * @schema
-   */
-  l4Endpoints: {
-    ...{
-      entity: l4EndpointEntity,
-      required: false,
-      multiple: true
-    },
-    description: `The L4 endpoints of the identity.
-
- Will take priority over all calculated endpoints if provided.`
+   * Will take priority over all calculated endpoints if provided.
+   */
+  l4Endpoints: {
+    entity: l4EndpointEntity,
+    required: false,
+    multiple: true
   },
   /**
    * The L3 endpoints to add to the allowed IPs of the identity.
@@ -1846,40 +2072,22 @@ var sharedPeerInputs = {
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL3Endpoints: {
-    ...{
-      entity: l3EndpointEntity,
-      multiple: true,
-      required: false
-    },
-    description: `The L3 endpoints to add to the allowed IPs of the identity.
-
- \`hostname\` endpoints will be ignored.
-
- If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
- the corresponding network policy will be created.`
+    entity: l3EndpointEntity,
+    multiple: true,
+    required: false
   },
   /**
    * The L4 endpoints to add to the allowed IPs of the identity.
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL4Endpoints: {
-    ...{
-      entity: l4EndpointEntity,
-      multiple: true,
-      required: false
-    },
-    description: `The L4 endpoints to add to the allowed IPs of the identity.
-
- If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
- the corresponding network policy will be created.`
+    entity: l4EndpointEntity,
+    multiple: true,
+    required: false
   }
 };
 var sharedPeerOutputs = {
@@ -1890,29 +2098,29 @@ var sharedPeerOutputs = {
     multiple: true
   }
 };
-var peer = defineUnit7({
+var peer = defineUnit({
   type: "wireguard.peer",
   args: {
     ...sharedPeerArgs,
     /**
      * The public key of the WireGuard peer.
-     *
-     * @schema
      */
     publicKey: {
-      ...Type9.String(),
-      description: `The public key of the WireGuard peer.`
+      schema: Type.String(),
+      meta: {
+        description: `The public key of the WireGuard peer.`
+      }
     }
   },
   secrets: {
     /**
      * The pre-shared key which should be used for the peer.
-     *
-     * @schema
      */
     presharedKey: {
-      ...Type9.Optional(Type9.String()),
-      description: `The pre-shared key which should be used for the peer.`
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The pre-shared key which should be used for the peer.`
+      }
     }
   },
   inputs: sharedPeerInputs,
@@ -1929,17 +2137,17 @@ var peer = defineUnit7({
     path: "peer"
   }
 });
-var peerPatch = defineUnit7({
+var peerPatch = defineUnit({
   type: "wireguard.peer-patch",
   args: {
     /**
      * The endpoints of the WireGuard peer.
-     *
-     * @schema
      */
     endpoints: {
-      ...Type9.Default(Type9.Array(Type9.String()), []),
-      description: `The endpoints of the WireGuard peer.`
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The endpoints of the WireGuard peer.`
+      }
     },
     /**
      * The mode to use for patching the endpoints.
@@ -1947,19 +2155,27 @@ var peerPatch = defineUnit7({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    endpointsPatchMode: Type9.Default(arrayPatchModeSchema, "prepend"),
+    endpointsPatchMode: {
+      schema: Type.Default(arrayPatchModeSchema, "prepend"),
+      meta: {
+        description: `The mode to use for patching the endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    },
     /**
      * The allowed endpoints of the WireGuard peer.
      *
      * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-     *
-     * @schema
      */
     allowedEndpoints: {
-      ...Type9.Default(Type9.Array(Type9.String()), []),
-      description: `The allowed endpoints of the WireGuard peer.
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The allowed endpoints of the WireGuard peer.
 
  The non \`hostname\` endpoints will be added to the \`allowedIps\` of the peer.`
+      }
     },
     /**
      * The mode to use for patching the allowed endpoints.
@@ -1967,7 +2183,15 @@ var peerPatch = defineUnit7({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    allowedEndpointsPatchMode: Type9.Default(arrayPatchModeSchema, "prepend"),
+    allowedEndpointsPatchMode: {
+      schema: Type.Default(arrayPatchModeSchema, "prepend"),
+      meta: {
+        description: `The mode to use for patching the allowed endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    },
     ...omit(sharedPeerArgs, ["endpoints", "allowedEndpoints"])
   },
   inputs: {
@@ -1995,7 +2219,7 @@ var peerPatch = defineUnit7({
     path: "peer-patch"
   }
 });
-var identity = defineUnit7({
+var identity = defineUnit({
   type: "wireguard.identity",
   args: {
     ...sharedPeerArgs,
@@ -2003,14 +2227,14 @@ var identity = defineUnit7({
      * The port to listen on.
      *
      * Used by the implementation of the identity and to calculate the endpoint of the peer.
-     *
-     * @schema
      */
     listenPort: {
-      ...Type9.Optional(Type9.Number()),
-      description: `The port to listen on.
+      schema: Type.Optional(Type.Number()),
+      meta: {
+        description: `The port to listen on.
 
  Used by the implementation of the identity and to calculate the endpoint of the peer.`
+      }
     },
     /**
      * The endpoint of the WireGuard peer.
@@ -2018,16 +2242,16 @@ var identity = defineUnit7({
      * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
      *
      * Will take priority over all calculated endpoints and `l4Endpoint` input.
-     *
-     * @schema
      */
     endpoints: {
-      ...Type9.Default(Type9.Array(Type9.String()), []),
-      description: `The endpoint of the WireGuard peer.
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The endpoint of the WireGuard peer.
 
  If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
 
  Will take priority over all calculated endpoints and \`l4Endpoint\` input.`
+      }
     }
   },
   secrets: {
@@ -2035,27 +2259,27 @@ var identity = defineUnit7({
      * The private key of the WireGuard identity.
      *
      * If not provided, the key will be generated automatically.
-     *
-     * @schema
      */
     privateKey: {
-      ...Type9.Optional(Type9.String()),
-      description: `The private key of the WireGuard identity.
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The private key of the WireGuard identity.
 
  If not provided, the key will be generated automatically.`
+      }
     },
     /**
      * The part of the pre-shared of the WireGuard identity.
      *
      * Will be generated automatically if not provided.
-     *
-     * @schema
      */
     presharedKeyPart: {
-      ...Type9.Optional(Type9.String()),
-      description: `The part of the pre-shared of the WireGuard identity.
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The part of the pre-shared of the WireGuard identity.
 
  Will be generated automatically if not provided.`
+      }
     }
   },
   inputs: sharedPeerInputs,
@@ -2075,30 +2299,30 @@ var identity = defineUnit7({
     path: "identity"
   }
 });
-var node = defineUnit7({
+var node = defineUnit({
   type: "wireguard.node",
   args: {
     /**
      * The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
      *
      * By default, the name is `wg-${identity.name}`.
-     *
-     * @schema
      */
     appName: {
-      ...Type9.Optional(Type9.String()),
-      description: `The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
 
  By default, the name is \`wg-\${identity.name}\`.`
+      }
     },
     /**
      * Whether to expose the WireGuard node to the outside world.
-     *
-     * @schema
      */
     external: {
-      ...Type9.Default(Type9.Boolean(), false),
-      description: `Whether to expose the WireGuard node to the outside world.`
+      schema: Type.Default(Type.Boolean(), false),
+      meta: {
+        description: `Whether to expose the WireGuard node to the outside world.`
+      }
     },
     /**
      * The policy to use for exposing the WireGuard node.
@@ -2109,19 +2333,49 @@ var node = defineUnit7({
      *
      * * By default, the `when-has-endpoint` policy is used.
      */
-    exposePolicy: Type9.Default(nodeExposePolicySchema, "when-has-endpoint"),
+    exposePolicy: {
+      schema: Type.Default(nodeExposePolicySchema, "when-has-endpoint"),
+      meta: {
+        description: `The policy to use for exposing the WireGuard node.
+
+ - \`always\` - The node will be exposed and the service will be created.
+ - \`when-has-endpoint\` - The node will be exposed only if the provided idenity has at least one endpoint.
+ - \`never\` - The node will not be exposed and the service will not be created.
+
+ * By default, the \`when-has-endpoint\` policy is used.`
+      }
+    },
     /**
      * The extra specification of the container which runs the WireGuard node.
      *
      * Will override any overlapping fields.
-     *
-     * @schema
      */
     containerSpec: {
-      ...Type9.Optional(Type9.Record(Type9.String(), Type9.Any())),
-      description: `The extra specification of the container which runs the WireGuard node.
+      schema: Type.Optional(Type.Record(Type.String(), Type.Any())),
+      meta: {
+        description: `The extra specification of the container which runs the WireGuard node.
 
  Will override any overlapping fields.`
+      }
+    },
+    /**
+     * List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
+     *
+     * This prevents other peers from reaching these destination CIDRs while still allowing
+     * the peers in those CIDRs to access the internet and other allowed endpoints.
+     *
+     * Useful for peer isolation where you want to prevent cross-peer communication.
+     */
+    forwardRestrictedIps: {
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
+
+ This prevents other peers from reaching these destination CIDRs while still allowing
+ the peers in those CIDRs to access the internet and other allowed endpoints.
+
+ Useful for peer isolation where you want to prevent cross-peer communication.`
+      }
     }
   },
   inputs: {
@@ -2168,21 +2422,21 @@ var node = defineUnit7({
     path: "node"
   }
 });
-var config = defineUnit7({
+var config = defineUnit({
   type: "wireguard.config",
   args: {
     /**
      * The name of the "default" interface where non-tunneled traffic should go.
      *
      * If not provided, the config will not respect `excludedIps`.
-     *
-     * @schema
      */
     defaultInterface: {
-      ...Type9.Optional(Type9.String()),
-      description: `The name of the "default" interface where non-tunneled traffic should go.
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the "default" interface where non-tunneled traffic should go.
 
  If not provided, the config will not respect \`excludedIps\`.`
+      }
     }
   },
   inputs: {
@@ -2206,7 +2460,7 @@ var config = defineUnit7({
     path: "config"
   }
 });
-var configBundle = defineUnit7({
+var configBundle = defineUnit({
   type: "wireguard.config-bundle",
   inputs: {
     identity: identityEntity,
@@ -2264,36 +2518,29 @@ __export(apps_exports, {
   vaultwarden: () => vaultwarden
 });
 
-// src/apps/mariadb.ts
-import { defineEntity as defineEntity10, defineUnit as defineUnit9, Type as Type12 } from "@highstate/contract";
-
-// src/apps/shared.ts
-import { Type as Type11 } from "@highstate/contract";
-
 // src/restic.ts
 var restic_exports = {};
 __export(restic_exports, {
   repo: () => repo,
-  repoEntity: () => repoEntity
-});
-import { defineEntity as defineEntity9, defineUnit as defineUnit8, Type as Type10 } from "@highstate/contract";
-var repoEntity = defineEntity9({
-  type: "restic.repo",
-  schema: Type10.Object({
-    remoteEndpoints: Type10.Array(Type10.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
-    type: Type10.Literal("rclone"),
-    rcloneConfig: Type10.String(),
-    remoteName: Type10.String(),
-    pathPattern: Type10.String()
+  repositoryEntity: () => repositoryEntity
+});
+var repositoryEntity = defineEntity({
+  type: "restic.repository",
+  schema: Type.Object({
+    remoteEndpoints: Type.Array(Type.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
+    type: Type.Literal("rclone"),
+    rcloneConfig: Type.String(),
+    remoteName: Type.String(),
+    pathPattern: Type.String()
   }),
   meta: {
     color: "#e56901"
   }
 });
-var repo = defineUnit8({
+var repo = defineUnit({
   type: "restic.repo",
   args: {
-    remoteEndpoints: Type10.Default(Type10.Array(Type10.String()), []),
+    remoteEndpoints: Type.Default(Type.Array(Type.String()), []),
     /**
      * The pattern for the path where backups will be stored for the specific application.
      *
@@ -2304,12 +2551,11 @@ var repo = defineUnit8({
      * - `$unitName`: The name of the unit, which deploys the application, provided by the user.
      *
      * By default, the path pattern is `backups/$clusterName/$appName`.
-     *
-     * @schema
      */
     pathPattern: {
-      ...Type10.Default(Type10.String(), "backups/$clusterName/$appName"),
-      description: `The pattern for the path where backups will be stored for the specific application.
+      schema: Type.Default(Type.String(), "backups/$clusterName/$appName"),
+      meta: {
+        description: `The pattern for the path where backups will be stored for the specific application.
 
  Available variables:
 
@@ -2318,10 +2564,11 @@ var repo = defineUnit8({
  - \`$unitName\`: The name of the unit, which deploys the application, provided by the user.
 
  By default, the path pattern is \`backups/$clusterName/$appName\`.`
+      }
     }
   },
   secrets: {
-    rcloneConfig: Type10.String({ language: "ini" })
+    rcloneConfig: Type.String({ language: "ini" })
   },
   inputs: {
     remoteL3Endpoints: {
@@ -2336,7 +2583,7 @@ var repo = defineUnit8({
     }
   },
   outputs: {
-    repo: repoEntity
+    repo: repositoryEntity
   },
   meta: {
     displayName: "Restic Repo",
@@ -2354,24 +2601,24 @@ var repo = defineUnit8({
 // src/apps/shared.ts
 var extraArgsDefinitions = {
   fqdn: {
-    schema: Type11.String()
+    schema: Type.String()
   },
   endpoints: {
-    schema: Type11.Array(Type11.String()),
+    schema: Type.Array(Type.String()),
     required: false
   },
   external: {
-    schema: Type11.Boolean(),
+    schema: Type.Boolean(),
     required: false
   }
 };
 var extraSecretsDefinitions = {
   rootPassword: {
-    schema: Type11.String(),
+    schema: Type.String(),
     required: false
   },
   backupPassword: {
-    schema: Type11.String(),
+    schema: Type.String(),
     required: false
   }
 };
@@ -2380,7 +2627,7 @@ var eagerExtraInputDefinitions = {
     entity: accessPointEntity
   },
   resticRepo: {
-    entity: repoEntity,
+    entity: repositoryEntity,
     required: false
   },
   dnsProviders: {
@@ -2398,7 +2645,7 @@ var extraInputDefinitions = {
 };
 function createArgs2(defaultAppName, extraArgs) {
   const base = {
-    appName: Type11.Default(Type11.String(), defaultAppName)
+    appName: Type.Default(Type.String(), defaultAppName)
   };
   const dynamicArgs = {};
   if (Array.isArray(extraArgs)) {
@@ -2483,21 +2730,21 @@ function createSource(path) {
     path
   };
 }
-var databaseSchema = Type11.Object({
-  endpoints: Type11.Array(l4EndpointEntity.schema),
-  service: Type11.Optional(serviceEntity.schema),
-  rootPassword: Type11.String()
+var databaseSchema = Type.Object({
+  endpoints: Type.Array(l4EndpointEntity.schema),
+  service: Type.Optional(serviceEntity.schema),
+  rootPassword: Type.String()
 });
 
 // src/apps/mariadb.ts
-var mariadbEntity = defineEntity10({
+var mariadbEntity = defineEntity({
   type: "apps.mariadb",
   schema: databaseSchema,
   meta: {
     color: "#f06292"
   }
 });
-var mariadb = defineUnit9({
+var mariadb = defineUnit({
   type: "apps.mariadb",
   args: createArgs2("mariadb", ["external"]),
   secrets: createSecrets(["rootPassword", "backupPassword"]),
@@ -2523,15 +2770,15 @@ extraInputDefinitions.mariadb = {
   entity: mariadbEntity,
   displayName: "MariaDB"
 };
-var mariadbDatabase = defineUnit9({
+var mariadbDatabase = defineUnit({
   type: "apps.mariadb.database",
   args: {
-    database: Type12.Optional(Type12.String()),
-    username: Type12.Optional(Type12.String())
+    database: Type.Optional(Type.String()),
+    username: Type.Optional(Type.String())
   },
   inputs: createInputs(["mariadb"]),
   secrets: {
-    password: Type12.Optional(Type12.String())
+    password: Type.Optional(Type.String())
   },
   meta: {
     displayName: "MariaDB Database",
@@ -2542,17 +2789,14 @@ var mariadbDatabase = defineUnit9({
   },
   source: createSource("mariadb/database")
 });
-
-// src/apps/postgresql.ts
-import { defineEntity as defineEntity11, defineUnit as defineUnit10, Type as Type13 } from "@highstate/contract";
-var postgresqlEntity = defineEntity11({
+var postgresqlEntity = defineEntity({
   type: "apps.postgresql",
   schema: databaseSchema,
   meta: {
     color: "#336791"
   }
 });
-var postgresql = defineUnit10({
+var postgresql = defineUnit({
   type: "apps.postgresql",
   args: createArgs2("postgresql", ["external"]),
   secrets: createSecrets(["rootPassword", "backupPassword"]),
@@ -2578,14 +2822,14 @@ extraInputDefinitions.postgresql = {
   entity: postgresqlEntity,
   displayName: "PostgreSQL"
 };
-var postgresqlDatabase = defineUnit10({
+var postgresqlDatabase = defineUnit({
   type: "apps.postgresql.database",
   args: {
-    database: Type13.Optional(Type13.String()),
-    username: Type13.Optional(Type13.String())
+    database: Type.Optional(Type.String()),
+    username: Type.Optional(Type.String())
   },
   secrets: {
-    password: Type13.Optional(Type13.String())
+    password: Type.Optional(Type.String())
   },
   inputs: createInputs(["postgresql"]),
   meta: {
@@ -2597,14 +2841,11 @@ var postgresqlDatabase = defineUnit10({
   },
   source: createSource("postgresql/database")
 });
-
-// src/apps/vaultwarden.ts
-import { defineUnit as defineUnit11, Type as Type14 } from "@highstate/contract";
-var vaultwarden = defineUnit11({
+var vaultwarden = defineUnit({
   type: "apps.vaultwarden",
   args: createArgs2("vaultwarden", ["fqdn"]),
   secrets: {
-    mariadbPassword: Type14.Optional(Type14.String())
+    mariadbPassword: Type.Optional(Type.String())
   },
   inputs: createInputs(["accessPoint", "mariadb"]),
   meta: {
@@ -2615,17 +2856,14 @@ var vaultwarden = defineUnit11({
   },
   source: createSource("vaultwarden")
 });
-
-// src/apps/mongodb.ts
-import { defineEntity as defineEntity12, defineUnit as defineUnit12, Type as Type15 } from "@highstate/contract";
-var mongodbEntity = defineEntity12({
+var mongodbEntity = defineEntity({
   type: "apps.mongodb",
   schema: databaseSchema,
   meta: {
     color: "#13aa52"
   }
 });
-var mongodb = defineUnit12({
+var mongodb = defineUnit({
   type: "apps.mongodb",
   args: createArgs2("mongodb", ["external"]),
   secrets: createSecrets(["rootPassword", "backupPassword"]),
@@ -2651,14 +2889,14 @@ extraInputDefinitions.mongodb = {
   entity: mongodbEntity,
   displayName: "MongoDB"
 };
-var mongodbDatabase = defineUnit12({
+var mongodbDatabase = defineUnit({
   type: "apps.mongodb.database",
   args: {
-    database: Type15.Optional(Type15.String()),
-    username: Type15.Optional(Type15.String())
+    database: Type.Optional(Type.String()),
+    username: Type.Optional(Type.String())
   },
   secrets: {
-    password: Type15.Optional(Type15.String())
+    password: Type.Optional(Type.String())
   },
   inputs: createInputs(["mongodb"]),
   meta: {
@@ -2670,11 +2908,8 @@ var mongodbDatabase = defineUnit12({
   },
   source: createSource("mongodb/database")
 });
-
-// src/apps/network.ts
-import { defineUnit as defineUnit13, Type as Type16 } from "@highstate/contract";
-var explicitEndpointFilterSchema = Type16.StringEnum(["public", "external", "internal"]);
-var endpointFilter = defineUnit13({
+var explicitEndpointFilterSchema = Type.StringEnum(["public", "external", "internal"]);
+var endpointFilter = defineUnit({
   type: "apps.endpoint-filter",
   args: {
     /**
@@ -2684,7 +2919,16 @@ var endpointFilter = defineUnit13({
      * - `external`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
      * - `internal`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.
      */
-    filter: Type16.Default(explicitEndpointFilterSchema, "public")
+    filter: {
+      schema: Type.Default(explicitEndpointFilterSchema, "public"),
+      meta: {
+        description: `The filter to apply to the endpoints.
+
+ - \`public\`: Only public endpoints accessible from the internet.
+ - \`external\`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
+ - \`internal\`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.`
+      }
+    }
   },
   inputs: {
     l3Endpoints: {
@@ -2718,11 +2962,8 @@ var endpointFilter = defineUnit13({
   },
   source: createSource("endpoint-filter")
 });
-
-// src/apps/dns.ts
-import { defineUnit as defineUnit14, Type as Type17 } from "@highstate/contract";
-var endpointFilterSchema2 = Type17.StringEnum(["all", "public", "external", "internal"]);
-var recordSet = defineUnit14({
+var endpointFilterSchema2 = Type.StringEnum(["all", "public", "external", "internal"]);
+var recordSet = defineUnit({
   type: "apps.dns-record-set",
   args: {
     /**
@@ -2730,31 +2971,67 @@ var recordSet = defineUnit14({
      *
      * If not provided, will use the name of the unit.
      */
-    recordName: Type17.Optional(Type17.String()),
+    recordName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the DNS record.
+
+ If not provided, will use the name of the unit.`
+      }
+    },
     /**
      * The type of the DNS record.
      *
      * If not specified, will use the default type for the provider.
      */
-    type: Type17.Optional(Type17.String()),
+    type: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The type of the DNS record.
+
+ If not specified, will use the default type for the provider.`
+      }
+    },
     /**
      * The values of the DNS record.
      */
-    values: Type17.Array(Type17.String()),
+    values: {
+      schema: Type.Array(Type.String()),
+      meta: {
+        description: `The values of the DNS record.`
+      }
+    },
     /**
      * The TTL of the DNS record.
      */
-    ttl: Type17.Optional(Type17.Number()),
+    ttl: {
+      schema: Type.Optional(Type.Number()),
+      meta: {
+        description: `The TTL of the DNS record.`
+      }
+    },
     /**
      * The priority of the DNS record.
      */
-    priority: Type17.Optional(Type17.Number()),
+    priority: {
+      schema: Type.Optional(Type.Number()),
+      meta: {
+        description: `The priority of the DNS record.`
+      }
+    },
     /**
      * Whether the DNS record is proxied.
      *
      * Available only for public IPs and some DNS providers like Cloudflare.
      */
-    proxied: Type17.Optional(Type17.Boolean()),
+    proxied: {
+      schema: Type.Optional(Type.Boolean()),
+      meta: {
+        description: `Whether the DNS record is proxied.
+
+ Available only for public IPs and some DNS providers like Cloudflare.`
+      }
+    },
     /**
      * The filter to apply to the endpoints.
      *
@@ -2763,7 +3040,17 @@ var recordSet = defineUnit14({
      * - `external`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
      * - `internal`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.
      */
-    endpointFilter: Type17.Default(endpointFilterSchema2, "public")
+    endpointFilter: {
+      schema: Type.Default(endpointFilterSchema2, "public"),
+      meta: {
+        description: `The filter to apply to the endpoints.
+
+ - \`all\`: All endpoints.
+ - \`public\`: Only public endpoints accessible from the internet (default).
+ - \`external\`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
+ - \`internal\`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.`
+      }
+    }
   },
   inputs: {
     dnsProviders: {
@@ -2785,13 +3072,21 @@ var recordSet = defineUnit14({
     /**
      * The single L3 endpoint representing created DNS records.
      */
-    l3Endpoint: l3EndpointEntity,
+    l3Endpoint: {
+      entity: l3EndpointEntity,
+      meta: {
+        description: `The single L3 endpoint representing created DNS records.`
+      }
+    },
     /**
      * Multiple L4 endpoints representing created DNS records for each unique port/protocol combination from the input L4 endpoints.
      */
     l4Endpoints: {
       entity: l4EndpointEntity,
-      multiple: true
+      multiple: true,
+      meta: {
+        description: `Multiple L4 endpoints representing created DNS records for each unique port/protocol combination from the input L4 endpoints.`
+      }
     }
   },
   meta: {
@@ -2806,22 +3101,14 @@ var recordSet = defineUnit14({
 var sharedArgs = {
   /**
    * The FQDN to register the cluster nodes with.
-   *
-   * @schema
    */
-  fqdn: {
-    ...Type17.Optional(Type17.String()),
-    description: `The FQDN to register the cluster nodes with.`
-  }
+  fqdn: Type.Optional(Type.String())
 };
-
-// src/apps/traefik.ts
-import { defineUnit as defineUnit15, Type as Type18 } from "@highstate/contract";
-var traefikGateway = defineUnit15({
+var traefikGateway = defineUnit({
   type: "apps.traefik-gateway",
   args: {
     ...createArgs2("traefik", ["external"]),
-    className: Type18.Optional(Type18.String())
+    className: Type.Optional(Type.String())
   },
   inputs: createInputs(),
   outputs: {
@@ -2843,10 +3130,7 @@ var traefikGateway = defineUnit15({
     path: "traefik"
   }
 });
-
-// src/apps/kubernetes-dashboard.ts
-import { defineUnit as defineUnit16 } from "@highstate/contract";
-var kubernetesDashboard = defineUnit16({
+var kubernetesDashboard = defineUnit({
   type: "apps.kubernetes-dashboard",
   args: createArgs2("kubernetes-dashboard", ["fqdn"]),
   inputs: createInputs(["accessPoint"]),
@@ -2859,10 +3143,7 @@ var kubernetesDashboard = defineUnit16({
   },
   source: createSource("kubernetes-dashboard")
 });
-
-// src/apps/grocy.ts
-import { defineUnit as defineUnit17 } from "@highstate/contract";
-var grocy = defineUnit17({
+var grocy = defineUnit({
   type: "apps.grocy",
   args: createArgs2("grocy", ["fqdn"]),
   secrets: createSecrets(["backupPassword"]),
@@ -2875,16 +3156,13 @@ var grocy = defineUnit17({
   },
   source: createSource("grocy")
 });
-
-// src/apps/maybe.ts
-import { defineUnit as defineUnit18, Type as Type19 } from "@highstate/contract";
-var maybe = defineUnit18({
+var maybe = defineUnit({
   type: "apps.maybe",
   args: createArgs2("maybe", ["fqdn"]),
   secrets: {
     ...createSecrets(["backupPassword"]),
-    postgresqlPassword: Type19.Optional(Type19.String()),
-    secretKey: Type19.Optional(Type19.String())
+    postgresqlPassword: Type.Optional(Type.String()),
+    secretKey: Type.Optional(Type.String())
   },
   inputs: createInputs(["accessPoint", "resticRepo", "postgresql"]),
   meta: {
@@ -2895,31 +3173,28 @@ var maybe = defineUnit18({
   },
   source: createSource("maybe")
 });
-
-// src/apps/deployment.ts
-import { defineUnit as defineUnit19, Type as Type20 } from "@highstate/contract";
-var deployment = defineUnit19({
+var deployment = defineUnit({
   type: "apps.deployment",
   args: {
-    appName: Type20.Optional(Type20.String()),
-    fqdn: Type20.Optional(Type20.String()),
-    serviceType: Type20.Optional(serviceTypeSchema),
-    image: Type20.Optional(Type20.String()),
-    port: Type20.Optional(Type20.Number()),
-    replicas: Type20.Optional(Type20.Number()),
-    dataPath: Type20.Optional(Type20.String()),
-    env: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    mariadbEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    postgresqlEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    mongodbEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    manifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    serviceManifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    httpRouteManifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any()))
+    appName: Type.Optional(Type.String()),
+    fqdn: Type.Optional(Type.String()),
+    serviceType: Type.Optional(serviceTypeSchema),
+    image: Type.Optional(Type.String()),
+    port: Type.Optional(Type.Number()),
+    replicas: Type.Optional(Type.Number()),
+    dataPath: Type.Optional(Type.String()),
+    env: Type.Optional(Type.Record(Type.String(), Type.Any())),
+    mariadbEnvMapping: Type.Optional(Type.Record(Type.String(), Type.Any())),
+    postgresqlEnvMapping: Type.Optional(Type.Record(Type.String(), Type.Any())),
+    mongodbEnvMapping: Type.Optional(Type.Record(Type.String(), Type.Any())),
+    manifest: Type.Optional(Type.Record(Type.String(), Type.Any())),
+    serviceManifest: Type.Optional(Type.Record(Type.String(), Type.Any())),
+    httpRouteManifest: Type.Optional(Type.Record(Type.String(), Type.Any()))
   },
   secrets: {
-    mariadbPassword: Type20.Optional(Type20.String()),
-    postgresqlPassword: Type20.Optional(Type20.String()),
-    mongodbPassword: Type20.Optional(Type20.String())
+    mariadbPassword: Type.Optional(Type.String()),
+    postgresqlPassword: Type.Optional(Type.String()),
+    mongodbPassword: Type.Optional(Type.String())
   },
   inputs: createInputs([
     "accessPoint",
@@ -2942,11 +3217,8 @@ var deployment = defineUnit19({
   },
   source: createSource("deployment")
 });
-
-// src/apps/syncthing.ts
-import { defineUnit as defineUnit20, Type as Type21 } from "@highstate/contract";
-var backupModeSchema = Type21.StringEnum(["state", "full"]);
-var syncthing = defineUnit20({
+var backupModeSchema = Type.StringEnum(["state", "full"]);
+var syncthing = defineUnit({
   type: "apps.syncthing",
   args: {
     ...createArgs2("syncthing", ["fqdn", "external"]),
@@ -2956,7 +3228,15 @@ var syncthing = defineUnit20({
      * The `fqdn` argument unlike this one points to the gateway and used to
      * access the Syncthing Web UI.
      */
-    deviceFqdn: Type21.Optional(Type21.String()),
+    deviceFqdn: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The FQDN of the Syncthing instance used to sync with other devices.
+
+ The \`fqdn\` argument unlike this one points to the gateway and used to
+ access the Syncthing Web UI.`
+      }
+    },
     /**
      * The backup mode to use for the Syncthing instance.
      *
@@ -2966,7 +3246,18 @@ var syncthing = defineUnit20({
      *
      * The default is `state`.
      */
-    backupMode: Type21.Default(backupModeSchema, "state")
+    backupMode: {
+      schema: Type.Default(backupModeSchema, "state"),
+      meta: {
+        description: `The backup mode to use for the Syncthing instance.
+
+ - \`state\`: Only the state is backed up. When the instance is restored, it will
+ sync files from the other devices automatically.
+ - \`full\`: A full backup is created including all files.
+
+ The default is \`state\`.`
+      }
+    }
   },
   secrets: createSecrets(["backupPassword"]),
   inputs: createInputs(["accessPoint", "resticRepo", "volume"]),
@@ -2986,16 +3277,13 @@ var syncthing = defineUnit20({
   },
   source: createSource("syncthing")
 });
-
-// src/apps/code-server.ts
-import { defineUnit as defineUnit21, Type as Type22 } from "@highstate/contract";
-var codeServer = defineUnit21({
+var codeServer = defineUnit({
   type: "apps.code-server",
   args: createArgs2("code-server", ["fqdn"]),
   secrets: {
     ...createSecrets(["backupPassword"]),
-    password: Type22.Optional(Type22.String()),
-    sudoPassword: Type22.Optional(Type22.String())
+    password: Type.Optional(Type.String()),
+    sudoPassword: Type.Optional(Type.String())
   },
   inputs: createInputs(["accessPoint", "resticRepo", "dnsProviders", "volume"]),
   outputs: {
@@ -3013,10 +3301,7 @@ var codeServer = defineUnit21({
     path: "code-server"
   }
 });
-
-// src/apps/hubble.ts
-import { defineUnit as defineUnit22 } from "@highstate/contract";
-var hubble = defineUnit22({
+var hubble = defineUnit({
   type: "apps.hubble",
   args: createArgs2("hubble", ["fqdn"]),
   inputs: createInputs(["accessPoint"]),
@@ -3035,11 +3320,10 @@ var cloudflare_exports = {};
 __export(cloudflare_exports, {
   connection: () => connection2
 });
-import { defineUnit as defineUnit23, Type as Type23 } from "@highstate/contract";
-var connection2 = defineUnit23({
+var connection2 = defineUnit({
   type: "cloudflare.connection",
   secrets: {
-    apiToken: Type23.String()
+    apiToken: Type.String()
   },
   outputs: {
     dnsProvider: providerEntity
@@ -3065,7 +3349,6 @@ __export(k3s_exports, {
   internalComponents: () => internalComponents,
   packagedComponents: () => packagedComponents
 });
-import { defineUnit as defineUnit24, Type as Type24 } from "@highstate/contract";
 var packagedComponents = [
   "coredns",
   "servicelb",
@@ -3081,60 +3364,60 @@ var internalComponents = [
   "network-policy",
   "helm-controller"
 ];
-var componentSchema = Type24.StringEnum([...packagedComponents, ...internalComponents]);
-var cniSchema3 = Type24.StringEnum(["none", "flannel"]);
-var cluster2 = defineUnit24({
+var componentSchema = Type.StringEnum([...packagedComponents, ...internalComponents]);
+var cniSchema3 = Type.StringEnum(["none", "flannel"]);
+var cluster2 = defineUnit({
   type: "k3s.cluster",
   args: {
     /**
      * The components to disable in the K3S cluster.
-     *
-     * @schema
      */
     disabledComponents: {
-      ...Type24.Default(Type24.Array(componentSchema), []),
-      description: `The components to disable in the K3S cluster.`
+      schema: Type.Default(Type.Array(componentSchema), []),
+      meta: {
+        description: `The components to disable in the K3S cluster.`
+      }
     },
     /**
      * The CNI to use in the K3S cluster.
      *
      * Setting this to "none" will disable default Flannel CNI, but will not disable network policy controller and kube-proxy.
      * If needed, you can disable them using `disabledComponents` argument.
-     *
-     * @schema
      */
     cni: {
-      ...Type24.Default(cniSchema3, "flannel"),
-      description: `The CNI to use in the K3S cluster.
+      schema: Type.Default(cniSchema3, "flannel"),
+      meta: {
+        description: `The CNI to use in the K3S cluster.
 
  Setting this to "none" will disable default Flannel CNI, but will not disable network policy controller and kube-proxy.
  If needed, you can disable them using \`disabledComponents\` argument.`
+      }
     },
     /**
      * The K3S configuration to pass to each server or agent in the cluster.
      *
      * See: https://docs.k3s.io/installation/configuration
-     *
-     * @schema
      */
     config: {
-      ...Type24.Optional(Type24.Record(Type24.String(), Type24.Any())),
-      description: `The K3S configuration to pass to each server or agent in the cluster.
+      schema: Type.Optional(Type.Record(Type.String(), Type.Any())),
+      meta: {
+        description: `The K3S configuration to pass to each server or agent in the cluster.
 
  See: https://docs.k3s.io/installation/configuration`
+      }
     },
     /**
      * The configuration of the registries to use for the K3S cluster.
      *
      * See: https://docs.k3s.io/installation/private-registry
-     *
-     * @schema
      */
     registries: {
-      ...Type24.Optional(Type24.Record(Type24.String(), Type24.Any())),
-      description: `The configuration of the registries to use for the K3S cluster.
+      schema: Type.Optional(Type.Record(Type.String(), Type.Any())),
+      meta: {
+        description: `The configuration of the registries to use for the K3S cluster.
 
  See: https://docs.k3s.io/installation/private-registry`
+      }
     }
   },
   inputs: clusterInputs,
@@ -3157,19 +3440,18 @@ var mullvad_exports = {};
 __export(mullvad_exports, {
   peer: () => peer2
 });
-import { defineUnit as defineUnit25, Type as Type25 } from "@highstate/contract";
-var peer2 = defineUnit25({
+var peer2 = defineUnit({
   type: "mullvad.peer",
   args: {
-    hostname: Type25.Optional(Type25.String()),
+    hostname: Type.Optional(Type.String()),
     /**
      * Whether to include Mullvad DNS servers in the peer configuration.
-     *
-     * @schema
      */
     includeDns: {
-      ...Type25.Default(Type25.Boolean(), true),
-      description: `Whether to include Mullvad DNS servers in the peer configuration.`
+      schema: Type.Default(Type.Boolean(), true),
+      meta: {
+        description: `Whether to include Mullvad DNS servers in the peer configuration.`
+      }
     }
   },
   inputs: {
@@ -3177,17 +3459,15 @@ var peer2 = defineUnit25({
      * The network to use for the WireGuard peer.
      *
      * If not provided, the peer will use default network configuration.
-     *
-     * @schema
      */
     network: {
-      ...{
-        entity: networkEntity,
-        required: false
-      },
-      description: `The network to use for the WireGuard peer.
+      entity: networkEntity,
+      required: false,
+      meta: {
+        description: `The network to use for the WireGuard peer.
 
  If not provided, the peer will use default network configuration.`
+      }
     }
   },
   outputs: {
@@ -3218,18 +3498,17 @@ __export(timeweb_exports, {
   connectionEntity: () => connectionEntity,
   virtualMachine: () => virtualMachine2
 });
-import { defineEntity as defineEntity13, defineUnit as defineUnit26, Type as Type26 } from "@highstate/contract";
-var connectionEntity = defineEntity13({
+var connectionEntity = defineEntity({
   type: "timeweb.connection",
-  schema: Type26.Object({
-    name: Type26.String(),
-    apiToken: Type26.String()
+  schema: Type.Object({
+    name: Type.String(),
+    apiToken: Type.String()
   })
 });
-var connection3 = defineUnit26({
+var connection3 = defineUnit({
   type: "timeweb.connection",
   secrets: {
-    apiToken: Type26.String()
+    apiToken: Type.String()
   },
   outputs: {
     connection: connectionEntity
@@ -3245,12 +3524,12 @@ var connection3 = defineUnit26({
     path: "connection"
   }
 });
-var virtualMachine2 = defineUnit26({
+var virtualMachine2 = defineUnit({
   type: "timeweb.virtual-machine",
   args: {
-    presetId: Type26.Optional(Type26.Number()),
-    osId: Type26.Optional(Type26.Number()),
-    availabilityZone: Type26.String()
+    presetId: Type.Optional(Type.Number()),
+    osId: Type.Optional(Type.Number()),
+    availabilityZone: Type.String()
   },
   inputs: {
     connection: connectionEntity,
@@ -3260,7 +3539,7 @@ var virtualMachine2 = defineUnit26({
     }
   },
   secrets: {
-    sshPrivateKey: Type26.Optional(Type26.String())
+    sshPrivateKey: Type.Optional(Type.String())
   },
   outputs: {
     server: serverEntity
@@ -3281,39 +3560,54 @@ var virtualMachine2 = defineUnit26({
 // src/nixos.ts
 var nixos_exports = {};
 __export(nixos_exports, {
-  flakeEntity: () => flakeEntity,
   inlineFlake: () => inlineFlake,
   inlineModule: () => inlineModule,
-  inlineModuleEntity: () => inlineModuleEntity,
-  remoteFlake: () => remoteFlake,
   system: () => system
 });
-import { defineEntity as defineEntity14, defineUnit as defineUnit27, Type as Type27 } from "@highstate/contract";
-var inlineModuleEntity = defineEntity14({
-  type: "nixos.inline-module",
-  schema: Type27.Object({
-    code: Type27.String()
-  }),
-  meta: {
-    displayName: "NixOS Inline Module",
-    description: "The NixOS module reference.",
-    color: "#5277c3"
-  }
-});
-var inlineModule = defineUnit27({
+var inlineModule = defineUnit({
   type: "nixos.inline-module",
   args: {
-    code: Type27.String({ language: "nix" })
+    /**
+     * The name of the module file.
+     *
+     * If not provided, the name will be the name of the unit.
+     */
+    moduleName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the module file.
+
+ If not provided, the name will be the name of the unit.`
+      }
+    },
+    /**
+     * The code of the NixOS module.
+     *
+     * In this code you can reference other modules and files by their names.
+     */
+    code: {
+      schema: Type.String({ language: "nix" }),
+      meta: {
+        description: `The code of the NixOS module.
+
+ In this code you can reference other modules and files by their names.`
+      }
+    }
   },
   inputs: {
     files: {
       entity: fileEntity,
       required: false,
       multiple: true
+    },
+    folders: {
+      entity: folderEntity,
+      required: false,
+      multiple: true
     }
   },
   outputs: {
-    module: inlineModuleEntity
+    folder: folderEntity
   },
   meta: {
     displayName: "NixOS Inline Module",
@@ -3328,63 +3622,50 @@ var inlineModule = defineUnit27({
     path: "inline-module"
   }
 });
-var flakeEntity = defineEntity14({
-  type: "nixos.flake",
-  schema: Type27.Object({
-    url: Type27.String()
-  }),
-  meta: {
-    displayName: "NixOS Flake",
-    description: "The NixOS flake reference.",
-    color: "#5277c3"
-  }
-});
-var remoteFlake = defineUnit27({
-  type: "nixos.remote-flake",
-  args: {
-    url: Type27.String()
-  },
-  outputs: {
-    flake: flakeEntity
-  },
-  meta: {
-    displayName: "NixOS Remote Flake",
-    description: "References a remote NixOS flake.",
-    primaryIcon: "simple-icons:nixos",
-    primaryIconColor: "#7ebae4",
-    secondaryIcon: "simple-icons:git",
-    secondaryIconColor: "#f1502f",
-    category: "NixOS"
-  },
-  source: {
-    package: "@highstate/nixos",
-    path: "flake"
-  }
-});
-var inlineFlake = defineUnit27({
+var inlineFlake = defineUnit({
   type: "nixos.inline-flake",
   args: {
-    code: Type27.String({ language: "nix" })
+    /**
+     * The name of the flake folder.
+     *
+     * If not provided, the name will be the name of the unit.
+     */
+    flakeName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the flake folder.
+
+ If not provided, the name will be the name of the unit.`
+      }
+    },
+    /**
+     * The code of the `flake.nix` file.
+     *
+     * In this code you can reference other flakes, modules, files, and folders by their names.
+     */
+    code: {
+      schema: Type.String({ language: "nix" }),
+      meta: {
+        description: `The code of the \`flake.nix\` file.
+
+ In this code you can reference other flakes, modules, files, and folders by their names.`
+      }
+    }
   },
   inputs: {
-    flakes: {
-      entity: flakeEntity,
-      required: false,
-      multiple: true
-    },
-    modules: {
-      entity: inlineModuleEntity,
+    files: {
+      entity: fileEntity,
       required: false,
       multiple: true
     },
-    files: {
-      entity: fileEntity,
+    folders: {
+      entity: folderEntity,
       required: false,
       multiple: true
     }
   },
   outputs: {
-    flake: flakeEntity
+    folder: folderEntity
   },
   meta: {
     displayName: "NixOS Inline Flake",
@@ -3399,19 +3680,14 @@ var inlineFlake = defineUnit27({
     path: "inline-flake"
   }
 });
-var system = defineUnit27({
+var system = defineUnit({
   type: "nixos.system",
   args: {
-    system: Type27.Optional(Type27.String())
+    system: Type.Optional(Type.String())
   },
   inputs: {
-    flake: flakeEntity,
     server: serverEntity,
-    modules: {
-      entity: inlineModuleEntity,
-      required: false,
-      multiple: true
-    }
+    flake: folderEntity
   },
   outputs: {
     server: serverEntity
@@ -3435,11 +3711,10 @@ var sops_exports = {};
 __export(sops_exports, {
   secrets: () => secrets
 });
-import { defineUnit as defineUnit28, Type as Type28 } from "@highstate/contract";
-var secrets = defineUnit28({
+var secrets = defineUnit({
   type: "sops.secrets",
-  args: {
-    secrets: Type28.Record(Type28.String(), Type28.Any())
+  secrets: {
+    data: Type.Record(Type.String(), Type.Any())
   },
   inputs: {
     servers: {
@@ -3470,165 +3745,168 @@ __export(obfuscators_exports, {
   obfuscatorSpec: () => obfuscatorSpec,
   phantun: () => phantun_exports
 });
-
-// src/obfuscators/shared.ts
-import { Type as Type29 } from "@highstate/contract";
 var deobfuscatorSpec = {
-  args: {
+  args: $args({
     /**
      * The name of the namespace and deployment to deploy the deobfuscator on.
      *
      * By default, calculated as `deobfs-{type}-{name}`.
      */
-    appName: Type29.Optional(Type29.String()),
+    appName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the namespace and deployment to deploy the deobfuscator on.
+
+ By default, calculated as \`deobfs-{type}-{name}\`.`
+      }
+    },
     /**
      * The L4 endpoint to forward deobfuscated traffic to.
      *
      * Will take precedence over the `targetEndpoint` input.
-     *
-     * @schema
      */
     targetEndpoints: {
-      ...Type29.Default(Type29.Array(Type29.String()), []),
-      description: `The L4 endpoint to forward deobfuscated traffic to.
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The L4 endpoint to forward deobfuscated traffic to.
 
  Will take precedence over the \`targetEndpoint\` input.`
+      }
     },
     /**
      * Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
      *
      * By default, the service is not exposed and only accessible from within the cluster.
-     *
-     * @schema
      */
     external: {
-      ...Type29.Default(Type29.Boolean(), false),
-      description: `Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
+      schema: Type.Default(Type.Boolean(), false),
+      meta: {
+        description: `Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
 
  By default, the service is not exposed and only accessible from within the cluster.`
+      }
     }
-  },
-  inputs: {
+  }),
+  inputs: $inputs({
     /**
      * The Kubernetes cluster to deploy the deobfuscator on.
-     *
-     * @schema
      */
     k8sCluster: {
-      ...clusterEntity2,
-      description: `The Kubernetes cluster to deploy the deobfuscator on.`
+      entity: clusterEntity2,
+      meta: {
+        description: `The Kubernetes cluster to deploy the deobfuscator on.`
+      }
     },
     /**
      * The L4 endpoints to forward deobfuscated traffic to.
      *
      * Will select the most appropriate endpoint based on the environment.
-     *
-     * @schema
      */
     targetEndpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false,
-        multiple: true
-      },
-      description: `The L4 endpoints to forward deobfuscated traffic to.
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints to forward deobfuscated traffic to.
 
  Will select the most appropriate endpoint based on the environment.`
+      }
     }
-  },
-  outputs: {
+  }),
+  outputs: $outputs({
     /**
      * The L4 endpoints of the deobfuscator accepting obfuscated traffic.
-     *
-     * @schema
      */
     endpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false,
-        multiple: true
-      },
-      description: `The L4 endpoints of the deobfuscator accepting obfuscated traffic.`
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints of the deobfuscator accepting obfuscated traffic.`
+      }
     }
-  }
+  })
 };
 var obfuscatorSpec = {
-  args: {
+  args: $args({
     /**
      * The name of the namespace and deployment to deploy the obfuscator on.
      *
      * By default, calculated as `obfs-{type}-{name}`.
      */
-    appName: Type29.Optional(Type29.String()),
+    appName: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The name of the namespace and deployment to deploy the obfuscator on.
+
+ By default, calculated as \`obfs-{type}-{name}\`.`
+      }
+    },
     /**
      * The endpoint of the deobfuscator to pass obfuscated traffic to.
      *
      * Will take precedence over the `endpoint` input.
-     *
-     * @schema
      */
     endpoints: {
-      ...Type29.Default(Type29.Array(Type29.String()), []),
-      description: `The endpoint of the deobfuscator to pass obfuscated traffic to.
+      schema: Type.Default(Type.Array(Type.String()), []),
+      meta: {
+        description: `The endpoint of the deobfuscator to pass obfuscated traffic to.
 
  Will take precedence over the \`endpoint\` input.`
+      }
     },
     /**
      * Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
      *
      * By default, the service is not exposed and only accessible from within the cluster.
-     *
-     * @schema
      */
     external: {
-      ...Type29.Default(Type29.Boolean(), false),
-      description: `Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
+      schema: Type.Default(Type.Boolean(), false),
+      meta: {
+        description: `Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
 
  By default, the service is not exposed and only accessible from within the cluster.`
+      }
     }
-  },
-  inputs: {
+  }),
+  inputs: $inputs({
     /**
      * The Kubernetes cluster to deploy the obfuscator on.
-     *
-     * @schema
      */
     k8sCluster: {
-      ...clusterEntity2,
-      description: `The Kubernetes cluster to deploy the obfuscator on.`
+      entity: clusterEntity2,
+      meta: {
+        description: `The Kubernetes cluster to deploy the obfuscator on.`
+      }
     },
     /**
      * The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
      *
      * Will select the most appropriate endpoint based on the environment.
-     *
-     * @schema
      */
     endpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false,
-        multiple: true
-      },
-      description: `The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
 
  Will select the most appropriate endpoint based on the environment.`
+      }
     }
-  },
-  outputs: {
+  }),
+  outputs: $outputs({
     /**
      * The L4 endpoints accepting unobfuscated traffic.
-     *
-     * @schema
      */
     entryEndpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        multiple: true
-      },
-      description: `The L4 endpoints accepting unobfuscated traffic.`
+      entity: l4EndpointEntity,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints accepting unobfuscated traffic.`
+      }
     }
-  }
+  })
 };
 
 // src/obfuscators/phantun.ts
@@ -3637,8 +3915,7 @@ __export(phantun_exports, {
   deobfuscator: () => deobfuscator,
   obfuscator: () => obfuscator
 });
-import { defineUnit as defineUnit29 } from "@highstate/contract";
-var deobfuscator = defineUnit29({
+var deobfuscator = defineUnit({
   type: "obfuscators.phantun.deobfuscator",
   ...deobfuscatorSpec,
   meta: {
@@ -3653,7 +3930,7 @@ var deobfuscator = defineUnit29({
     path: "phantun/deobfuscator"
   }
 });
-var obfuscator = defineUnit29({
+var obfuscator = defineUnit({
   type: "obfuscators.phantun.obfuscator",
   ...obfuscatorSpec,
   meta: {
@@ -3668,25 +3945,119 @@ var obfuscator = defineUnit29({
     path: "phantun/obfuscator"
   }
 });
-export {
-  apps_exports as apps,
-  arrayPatchModeSchema,
-  cloudflare_exports as cloudflare,
-  common_exports as common,
-  dns_exports as dns,
-  k3s_exports as k3s,
-  k8s_exports as k8s,
-  mullvad_exports as mullvad,
-  network_exports as network,
-  nixos_exports as nixos,
-  obfuscators_exports as obfuscators,
-  prefixKeysWith,
-  proxmox_exports as proxmox,
-  restic_exports as restic,
-  sops_exports as sops,
-  ssh_exports as ssh,
-  talos_exports as talos,
-  timeweb_exports as timeweb,
-  wireguard_exports as wireguard
-};
+
+// src/distributions/index.ts
+var distributions_exports = {};
+__export(distributions_exports, {
+  ubuntu: () => ubuntu,
+  ubuntuArchitectureSchema: () => ubuntuArchitectureSchema,
+  ubuntuVersionSchema: () => ubuntuVersionSchema
+});
+var ubuntuVersionSchema = Type.StringEnum(["22.04", "24.04", "24.10", "25.04", "25.10"]);
+var ubuntuArchitectureSchema = Type.StringEnum(["amd64", "arm64"]);
+var ubuntu = defineUnit({
+  type: "distributions.ubuntu",
+  args: {
+    version: Type.Default(ubuntuVersionSchema, "24.04"),
+    architecture: Type.Default(ubuntuArchitectureSchema, "amd64")
+  },
+  outputs: {
+    image: fileEntity,
+    cloudConfig: fileEntity
+  },
+  meta: {
+    displayName: "Ubuntu",
+    description: "Ubuntu distribution with image and cloud-config.",
+    primaryIcon: "mdi:ubuntu",
+    primaryIconColor: "#E95420",
+    category: "Distributions"
+  },
+  source: {
+    package: "@highstate/distributions",
+    path: "ubuntu"
+  }
+});
+
+// src/git.ts
+var git_exports = {};
+__export(git_exports, {
+  remoteRepository: () => remoteRepository
+});
+var remoteRepository = defineUnit({
+  type: "git.remote-repository",
+  args: {
+    /**
+     * The URL of the remote repository.
+     */
+    url: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The URL of the remote repository.`
+      }
+    },
+    /**
+     * The ref of the remote repository to checkout.
+     *
+     * If not specified, the default branch will be used.
+     */
+    ref: {
+      schema: Type.Optional(Type.String()),
+      meta: {
+        description: `The ref of the remote repository to checkout.
+
+ If not specified, the default branch will be used.`
+      }
+    },
+    /**
+     * Whether to include the .git directory in the packed artifact.
+     *
+     * Do not enable this unless you need the full git history.
+     */
+    includeGit: {
+      schema: Type.Default(Type.Boolean(), false),
+      meta: {
+        description: `Whether to include the .git directory in the packed artifact.
+
+ Do not enable this unless you need the full git history.`
+      }
+    }
+  },
+  inputs: {
+    /**
+     * The L7 endpoint of the remote repository.
+     */
+    endpoint: {
+      entity: l7EndpointEntity,
+      required: false,
+      meta: {
+        description: `The L7 endpoint of the remote repository.`
+      }
+    }
+  },
+  outputs: {
+    /**
+     * The folder containing the repository content.
+     */
+    folder: {
+      entity: folderEntity,
+      meta: {
+        description: `The folder containing the repository content.`
+      }
+    }
+  },
+  meta: {
+    displayName: "Git Remote Repository",
+    description: "References a remote Git repository.",
+    primaryIcon: "simple-icons:git",
+    primaryIconColor: "#f1502f",
+    category: "Git"
+  },
+  source: {
+    package: "@highstate/git",
+    path: "remote-repository"
+  }
+});
+
+export { apps_exports as apps, arrayPatchModeSchema, cloudflare_exports as cloudflare, common_exports as common, distributions_exports as distributions, dns_exports as dns, git_exports as git, k3s_exports as k3s, k8s_exports as k8s, mullvad_exports as mullvad, network_exports as network, nixos_exports as nixos, obfuscators_exports as obfuscators, prefixKeysWith, proxmox_exports as proxmox, restic_exports as restic, sops_exports as sops, ssh_exports as ssh, talos_exports as talos, timeweb_exports as timeweb, wireguard_exports as wireguard };
+//# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map